Edit tour

Windows Analysis Report
LisectAVT_2403002A_327.dll

Overview

General Information

Sample name:	LisectAVT_2403002A_327.dll
Analysis ID:	1482334
MD5:	40730e4027614dd45d6aae3f4dca0a48
SHA1:	13d9812a91640771c4acc6f98aef1d1b28a38b1c
SHA256:	527d79357bf1ec94197e8e9cd404073060508ad7a77b714cc7c2f2e34ad08623
Tags:	dllexeWannaCry
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7304 cmdline: loaddll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7396 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7416 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7444 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 60A91A498C0F1FFDDEF484C5A4D42564)

rundll32.exe (PID: 7404 cmdline: rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002A_327.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7648 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7664 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 60A91A498C0F1FFDDEF484C5A4D42564)

svchost.exe (PID: 7564 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

mssecsvr.exe (PID: 7616 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 60A91A498C0F1FFDDEF484C5A4D42564)

svchost.exe (PID: 2332 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_327.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
LisectAVT_2403002A_327.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
LisectAVT_2403002A_327.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\mssecsvr.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvr.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\mssecsvr.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvr.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvr.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000000.1326342765.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.1341643809.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1297845687.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.1322719614.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 7444	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7616	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7664	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.mssecsvr.exe.22778c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.1d4f084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.22a996c.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.22a996c.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.22a996c.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.22a996c.9.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.1d81128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.1d81128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.1d81128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.1d81128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.2286948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.2286948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.2286948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.2286948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.1d5e104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.1d5e104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.1d5e104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.1d5e104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.1d4f084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.1d4f084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.1d4f084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.22778c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.22778c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.22778c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.22a996c.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.22a996c.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.22a996c.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.22a996c.9.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.1d81128.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.1d81128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.1d81128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.1d81128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.mssecsvr.exe.2286948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.2286948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.2286948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.1d5e104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.1d5e104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.1d5e104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.22828e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.22828e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.22828e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.1d5a0a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.1d5a0a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.mssecsvr.exe.1d5a0a4.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 117 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 7564, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T21:34:55.923849+0200
SID:	2022930
Source Port:	443
Destination Port:	50078
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T21:34:02.298829+0200
SID:	2830018
Source Port:	53342
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection - Source IP: 192.168.2.7 - Destination IP: 36.4.231.1

Timestamp:	2024-07-25T21:34:15.727764+0200
SID:	2001569
Source Port:	49831
Destination Port:	445
Protocol:	TCP
Classtype:	Misc activity

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T21:34:17.088039+0200
SID:	2022930
Source Port:	443
Destination Port:	49821
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_327.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/c	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234ea	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5ef	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/M:	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/a	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/4	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/D	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5be	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\mssecsvr.exe

Avira: detection malicious, Label: TR/Ransom.Gen

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.2% probability

Machine Learning detection for dropped file

Source: C:\Windows\mssecsvr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_327.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: LisectAVT_2403002A_327.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:50078 version: TLS 1.2

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1721936043.4587265
Source: global traffic	HTTP traffic detected: GET /?subid1=20240726-0534-041f-8fb2-8866394234ea HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20240726-0534-055f-94f1-815196e9c5be HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=39fec269-4c93-4234-939b-afff81d34501

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.74
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.74
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.74
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.74
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 64.16.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.0
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.0
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.0
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.0
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 6.118.192.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.210
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.210
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.210
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.210
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.127.160.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.225.62.88

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cmhE9WbprTxRD5l&MD=pYgsfsSr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cmhE9WbprTxRD5l&MD=pYgsfsSr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1721936043.4587265
Source: global traffic	HTTP traffic detected: GET /?subid1=20240726-0534-041f-8fb2-8866394234ea HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20240726-0534-055f-94f1-815196e9c5be HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=39fec269-4c93-4234-939b-afff81d34501

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: time.windows.com

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1971801364.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1337589646.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5ef
Source: mssecsvr.exe, 00000009.00000002.1971801364.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234
Source: mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5
Source: mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/D
Source: mssecsvr.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000009.00000002.1971801364.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)
Source: mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/4
Source: mssecsvr.exe, 00000009.00000002.1971801364.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/M:
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/a
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/c
Source: mssecsvr.exe, 00000009.00000002.1971351728.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJO
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comc

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:50078 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: LisectAVT_2403002A_327.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.22778c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.1d5e104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.1d5a0a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.1326342765.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1341643809.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1297845687.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1322719614.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\mssecsvr.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_327.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: LisectAVT_2403002A_327.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.22778c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d4f084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.22778c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.22778c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.1d5e104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d5e104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.1d5a0a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.1d5a0a4.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: mssecsvr.exe.4.dr

Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: LisectAVT_2403002A_327.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: LisectAVT_2403002A_327.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: LisectAVT_2403002A_327.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.22778c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d4f084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.22a996c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.1d81128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.1d5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.22778c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.22778c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.22a996c.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.1d81128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.1d5e104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d5e104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.1d5a0a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.1d5a0a4.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: LisectAVT_2403002A_327.dll, mssecsvr.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/2@3/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		9_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 9_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		9_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03

Source: LisectAVT_2403002A_327.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002A_327.dll,PlayGame

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002A_327.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002A_327.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: LisectAVT_2403002A_327.dll

Static file information: File size 5267470 > 1048576

Source: LisectAVT_2403002A_327.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\mssecsvr.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\mssecsvr.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe TID: 7712	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7712	Thread sleep time: -198000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7716	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7716	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7712	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mssecsvr.exe, 00000006.00000002.1337589646.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1971801364.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1971801364.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000008.00000002.2546611181.0000025798630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	14 Windows Service	14 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_327.dll	100%	Avira	TR/AD.WannaCry.nvufj
LisectAVT_2403002A_327.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\mssecsvr.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/c	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234ea	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5ef	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/M:	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/a	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/4	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJO	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/D	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5be	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comc	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.226	true	false	unknown
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	unknown
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	unknown
time.windows.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234ea	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5be	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/M:	mssecsvr.exe, 00000009.00000002.1971801364.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)	mssecsvr.exe, 00000006.00000002.1337589646.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5	mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&	mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.1337589646.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1971801364.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5ef	mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1337589646.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mssecsvr.exe.4.dr	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/c	mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/a	mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234	mssecsvr.exe, 00000009.00000002.1971801364.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000009.00000002.1971351728.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/D	mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/4	mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJO	mssecsvr.exe, 0000000B.00000002.1342028253.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comc	mssecsvr.exe, 00000006.00000002.1337589646.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.124.94.222	unknown	Finland	198024	FI-ISTEKKI-ASFI	false
199.207.38.1	unknown	United States	7227	KPMGL-ASUS	false
95.210.118.1	unknown	Italy	29286	SKYLOGIC-ASIT	false
119.225.62.88	unknown	Australia	7474	OPTUSCOM-AS01-AUSingTelOptusPtyLtdAU	false
4.84.89.1	unknown	United States	3356	LEVEL3US	false
199.180.31.91	unknown	Canada	32536	4WEB-CA	false
132.107.82.189	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
188.219.99.197	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
16.68.196.1	unknown	United States	unknown	unknown	false
13.55.192.1	unknown	United States	16509	AMAZON-02US	false
136.185.8.1	unknown	India	3455	WAUSAU-INSUS	false
80.67.170.1	unknown	France	20766	GITOYEN-MAIN-ASThemainAutonomousSystemofGitoyenParis	false
95.43.108.1	unknown	Bulgaria	8866	BTC-ASBULGARIABG	false
210.44.60.232	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101
192.168.2.222
192.168.2.220
10.54.96.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482334
Start date and time:	2024-07-25 21:33:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_327.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/2@3/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9, 2.19.126.137
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_327.dll

Simulations

Behavior and APIs

Time	Type	Description
15:34:04	API Interceptor	1x Sleep call for process: loaddll32.exe modified
16:49:48	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	Ia93PTYivQ.exe	Get hash	malicious	BlackMoon, Neshta	Browse	199.59.243.226
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	199.59.243.226
	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	199.59.243.226
	http://sectocarewl.online/mona-michelle/	Get hash	malicious	Unknown	Browse	199.59.243.226
	file.exe	Get hash	malicious	CMSBrute	Browse	199.59.243.225
	SlHgSOYcMY.exe	Get hash	malicious	Unknown	Browse	199.59.243.225
	https://upsmychoicedeals.com	Get hash	malicious	Unknown	Browse	199.59.243.225
	http://free.filesearch.club/?q=grade+9+core+french+textbook	Get hash	malicious	Unknown	Browse	199.59.243.225
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	199.59.243.225
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	199.59.243.225
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	103.224.212.215
	lJt3mQqCQl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	xIwkOnjSIa.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	IU28r0EZFA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	ViNIRfmQmE.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	Ee3RWj3ID9.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220
	YB7v7UFV3j.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220
	B0U3oOhQJu.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KPMGL-ASUS	sh4.elf	Get hash	malicious	Mirai	Browse	199.207.116.185
	bolonetwork.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	199.207.187.38
	TV7RLVOmvl.elf	Get hash	malicious	Mirai	Browse	199.207.163.27
	pDWZMd3100.elf	Get hash	malicious	Mirai, Gafgyt	Browse	199.207.138.92
	GcOeQTPzrh.elf	Get hash	malicious	Unknown	Browse	199.207.163.40
	DHz0sMSRlg.elf	Get hash	malicious	Mirai	Browse	199.207.204.158
	bot.mpsl-20240324-1846.elf	Get hash	malicious	Mirai, Moobot	Browse	199.207.187.36
	huhu.x86_64.elf	Get hash	malicious	Mirai, Okiru	Browse	199.207.163.44
	huhu.arm.elf	Get hash	malicious	Mirai	Browse	199.207.163.23
	28zfOuBIRZ.elf	Get hash	malicious	Mirai	Browse	199.207.116.199
OPTUSCOM-AS01-AUSingTelOptusPtyLtdAU	vQPpTr8mfm.elf	Get hash	malicious	Mirai	Browse	220.101.95.182
	eW8ah5TCen.elf	Get hash	malicious	Unknown	Browse	220.101.95.185
	https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fyourremittance.com.au%2ft%2fs%2fUD5xw4r&umid=cc04381d-8482-4529-83d6-e97329962ac3&auth=3a5566c60b1f4d8525fa8ab109f94675a663eb25-bbc82991079aa7c5d0d2ec918ad27ef8f965c70a	Get hash	malicious	Unknown	Browse	223.27.177.69
	o85sjrF5oi.elf	Get hash	malicious	Unknown	Browse	203.16.141.225
	V7UaNBrX72.elf	Get hash	malicious	Mirai, Moobot	Browse	203.202.66.255
	LEpsypIZxU.elf	Get hash	malicious	Mirai, Moobot	Browse	203.18.174.201
	cEEsFMSdw8.elf	Get hash	malicious	Mirai	Browse	59.154.22.248
	SJ5SyRpCFA.elf	Get hash	malicious	Unknown	Browse	59.154.199.208
	16knGm6BfY.elf	Get hash	malicious	Mirai, Moobot	Browse	125.63.206.165
	i586.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.50.126.193
SKYLOGIC-ASIT	LisectAVT_2403002A_80.exe	Get hash	malicious	GuLoader	Browse	84.247.147.161
	LisectAVT_2403002A_80.exe	Get hash	malicious	GuLoader	Browse	84.247.147.161
	Lisect_AVT_24003_G1B_122.exe	Get hash	malicious	Unknown	Browse	154.73.28.157
	gw3yTM2uiZ.elf	Get hash	malicious	Mirai	Browse	5.61.193.147
	arm5-20240623-2204.elf	Get hash	malicious	Mirai	Browse	197.234.45.5
	033MSOG241591GHD.out.vbs	Get hash	malicious	Unknown	Browse	84.247.168.16
	sYgsg1JAC0.elf	Get hash	malicious	Mirai	Browse	213.209.187.32
	j5pd3mg5a4.elf	Get hash	malicious	Mirai, Moobot	Browse	213.16.215.3
	Mt5VyD087r.elf	Get hash	malicious	Mirai	Browse	197.234.45.7
	1Q1yL9boQn.exe	Get hash	malicious	AsyncRAT	Browse	84.247.154.81
FI-ISTEKKI-ASFI	5QXQt577gu.elf	Get hash	malicious	Unknown	Browse	31.172.156.2
	7cG80udQjG.elf	Get hash	malicious	Mirai	Browse	31.172.156.9
	47RMaTbdd4	Get hash	malicious	Mirai	Browse	31.172.156.8
	arm	Get hash	malicious	Mirai	Browse	31.172.156.1
	EHqBakwhNU	Get hash	malicious	Unknown	Browse	31.172.152.43

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	LisectAVT_2403002A_349.exe	Get hash	malicious	Unknown	Browse	20.114.59.183
	LisectAVT_2403002A_362.exe	Get hash	malicious	Unknown	Browse	20.114.59.183
	https://pousadaalgodaodapraia.com.br/wp-includes/Kinsh.html	Get hash	malicious	Unknown	Browse	20.114.59.183
	http://www.artisteer.com/?p=affr&redirect_url=https://tdg.site4clientdemo.com/vendor/bin/hereme/43432/6467r/biddept@lakeshorelearning.com	Get hash	malicious	HTMLPhisher	Browse	20.114.59.183
	http://exchange.adsbymediavine.com/usersync/sync	Get hash	malicious	Unknown	Browse	20.114.59.183
	https://forms.office.com/r/2sQKUFgdzE	Get hash	malicious	HTMLPhisher	Browse	20.114.59.183
	https://cutt.ly/98486848789-form-sharepolnt-PROJECTJULY2024-pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	20.114.59.183
	https://url.us.m.mimecastprotect.com/s/E8trC5yxE7iZK9MZ8-vl	Get hash	malicious	Unknown	Browse	20.114.59.183
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	20.114.59.183
	http://littlebighero.ch	Get hash	malicious	Unknown	Browse	20.114.59.183

Process:	C:\Windows\mssecsvr.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.41396277039335
Encrypted:	false
SSDEEP:	6144:ncifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNb5+:ci58oSWIZBk2MM6AFBZo
MD5:	AD08CADF252A271ADF997A69096E825D
SHA1:	076825D458B6F35FBCFA9C9C7D6B3AFE87723CD7
SHA-256:	C2985FC0E20305ECF8EE629831EEC2DFB0ED0769E4939C1C9FC1C162304D90B8
SHA-512:	3A103AD0B66C16CF99F8486B91908BFB4280388B6833AC4B33C5358C5336AA182B870FA4BA7867837B69C163BC13CEFE1A63F404EA1E77DF25D8D65E3B97F133
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm2.#.................................................................................................................................................................................................................................................................................................................................................].5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvr.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2281472
Entropy (8bit):	4.118469343904641
Encrypted:	false
SSDEEP:	12288:eQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXF5:VbLguVQhfdmMSirYbcMNgef0QeQjG
MD5:	60A91A498C0F1FFDDEF484C5A4D42564
SHA1:	A15DCD408C0AEE1F5F38B50528583BDEE6536227
SHA-256:	03DC66C9970481C5958D247F9EBA93A6A7AD9F9BBF94845B9FBEA8ED1E1E0757
SHA-512:	E7B7A308227FC3C72D8D1BD262389257E1F2FA419F6CEFF58F73A06F850245F6E1068EA74CF42388EE2CA2712D7B5D9A2CE0E6F7264C3885B82C1CAA70891E55
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvr.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L......................"...................@...........................P......................................................1..z...........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.........1...... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.0274814419049543
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_327.dll
File size:	5'267'470 bytes
MD5:	40730e4027614dd45d6aae3f4dca0a48
SHA1:	13d9812a91640771c4acc6f98aef1d1b28a38b1c
SHA256:	527d79357bf1ec94197e8e9cd404073060508ad7a77b714cc7c2f2e34ad08623
SHA512:	e5c0227ad427bdc90ca6001f9284bdb5b54f247c6b19dedc30a951f908fe1f8799294649bc647209482c84c900d21783d1c18d533644f64b38efd51d8d8ec0f5
SSDEEP:	12288:TQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXF5:MbLguVQhfdmMSirYbcMNgef0QeQjG
TLSH:	2436235A766C91FCC10A627574634926E6B73C5A22BD960F8F908B520C137A0FF78F4B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F1430DE071Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F1430DE0738h
cmp esi, 01h
je 00007F1430DE0717h
cmp esi, 02h
jne 00007F1430DE0734h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F1430DE071Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F1430DE071Eh
push edi
push esi
push ebx
call 00007F1430DE062Ah
test eax, eax
jne 00007F1430DE0716h
xor eax, eax
jmp 00007F1430DE0760h
push edi
push esi
push ebx
call 00007F1430DE04DCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F1430DE071Eh
test eax, eax
jne 00007F1430DE0749h
push edi
push eax
push ebx
call 00007F1430DE0606h
test esi, esi
je 00007F1430DE0717h
cmp esi, 03h
jne 00007F1430DE0738h
push edi
push esi
push ebx
call 00007F1430DE05F5h
test eax, eax
jne 00007F1430DE0715h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F1430DE0723h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F1430DE071Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	d584d66e67c2a91c2f940577173b4a2c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8100900650024414

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T21:34:55.923849+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	50078	20.114.59.183	192.168.2.7
2024-07-25T21:34:02.298829+0200	UDP	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	53342	53	192.168.2.7	1.1.1.1
2024-07-25T21:34:15.727764+0200	TCP	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	49831	445	192.168.2.7	36.4.231.1
2024-07-25T21:34:17.088039+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49821	20.114.59.183	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:33:54.413325071 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 25, 2024 21:33:54.928981066 CEST	49674	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:33:54.929008961 CEST	49675	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:33:55.069614887 CEST	49672	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:33:58.429905891 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:33:58.803946972 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:33:59.225819111 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 25, 2024 21:33:59.553942919 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:34:01.054023981 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:34:02.521534920 CEST	49699	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:02.526689053 CEST	80	49699	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:02.526837111 CEST	49699	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:02.529356956 CEST	49699	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:02.534260988 CEST	80	49699	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:03.214509964 CEST	80	49699	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:03.214580059 CEST	49699	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:03.214668036 CEST	80	49699	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:03.214720011 CEST	49699	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:03.328538895 CEST	49699	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:03.333822966 CEST	80	49699	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:03.733755112 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:03.738692999 CEST	80	49700	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:03.738897085 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:03.739309072 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:03.744160891 CEST	80	49700	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:04.038475037 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:34:04.264836073 CEST	80	49700	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:04.265207052 CEST	80	49700	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:04.265258074 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:04.265258074 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:04.270350933 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:04.270350933 CEST	49700	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:04.371855974 CEST	49701	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:04.376908064 CEST	80	49701	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:04.377006054 CEST	49701	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:04.377120972 CEST	49701	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:04.381889105 CEST	80	49701	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:04.538321972 CEST	49674	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:04.538348913 CEST	49675	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:04.671118975 CEST	49672	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:04.919166088 CEST	49702	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:04.926316977 CEST	80	49702	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:04.926419973 CEST	49702	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:04.926732063 CEST	49702	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:04.933995962 CEST	80	49702	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.012617111 CEST	80	49701	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.012706041 CEST	49701	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:05.013691902 CEST	80	49701	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.013761997 CEST	49701	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:05.016984940 CEST	49701	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:05.019659996 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.021807909 CEST	80	49701	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.024599075 CEST	80	49703	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:05.024699926 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.024918079 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.029654980 CEST	80	49703	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:05.520668983 CEST	80	49703	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:05.520772934 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.521080971 CEST	80	49703	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:05.521287918 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.535195112 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.535240889 CEST	49703	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.547842979 CEST	80	49702	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.547923088 CEST	49702	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:05.552762032 CEST	80	49702	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.552840948 CEST	49702	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:05.583702087 CEST	49702	80	192.168.2.7	103.224.212.215
Jul 25, 2024 21:34:05.585968971 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.588645935 CEST	80	49702	103.224.212.215	192.168.2.7
Jul 25, 2024 21:34:05.591228008 CEST	80	49704	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:05.591662884 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.592134953 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:05.596911907 CEST	80	49704	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:05.612359047 CEST	49705	445	192.168.2.7	64.16.93.74
Jul 25, 2024 21:34:05.617364883 CEST	445	49705	64.16.93.74	192.168.2.7
Jul 25, 2024 21:34:05.617439032 CEST	49705	445	192.168.2.7	64.16.93.74
Jul 25, 2024 21:34:05.618485928 CEST	49705	445	192.168.2.7	64.16.93.74
Jul 25, 2024 21:34:05.618866920 CEST	49706	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.623920918 CEST	445	49706	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:05.623934984 CEST	445	49705	64.16.93.74	192.168.2.7
Jul 25, 2024 21:34:05.623995066 CEST	49705	445	192.168.2.7	64.16.93.74
Jul 25, 2024 21:34:05.624036074 CEST	49706	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.624217987 CEST	49706	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.628165007 CEST	49707	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.629666090 CEST	445	49706	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:05.629720926 CEST	49706	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.633161068 CEST	445	49707	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:05.633233070 CEST	49707	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.633271933 CEST	49707	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:05.638190031 CEST	445	49707	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:06.150805950 CEST	80	49704	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:06.151002884 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:06.151657104 CEST	80	49704	199.59.243.226	192.168.2.7
Jul 25, 2024 21:34:06.151789904 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:06.159357071 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:06.159380913 CEST	49704	80	192.168.2.7	199.59.243.226
Jul 25, 2024 21:34:07.113730907 CEST	443	49698	104.98.116.138	192.168.2.7
Jul 25, 2024 21:34:07.113868952 CEST	49698	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:07.671152115 CEST	49730	445	192.168.2.7	10.54.96.181
Jul 25, 2024 21:34:07.676218033 CEST	445	49730	10.54.96.181	192.168.2.7
Jul 25, 2024 21:34:07.676340103 CEST	49730	445	192.168.2.7	10.54.96.181
Jul 25, 2024 21:34:07.676565886 CEST	49730	445	192.168.2.7	10.54.96.181
Jul 25, 2024 21:34:07.677537918 CEST	49731	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.682487011 CEST	445	49731	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:07.682568073 CEST	445	49730	10.54.96.181	192.168.2.7
Jul 25, 2024 21:34:07.682574987 CEST	49731	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.682622910 CEST	49730	445	192.168.2.7	10.54.96.181
Jul 25, 2024 21:34:07.682626009 CEST	49731	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.684264898 CEST	49732	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.689011097 CEST	445	49731	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:07.689074993 CEST	49731	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.689110994 CEST	445	49732	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:07.689173937 CEST	49732	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.689558983 CEST	49732	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:07.694314003 CEST	445	49732	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:08.835287094 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 25, 2024 21:34:09.665077925 CEST	49755	445	192.168.2.7	6.118.192.0
Jul 25, 2024 21:34:09.670084953 CEST	445	49755	6.118.192.0	192.168.2.7
Jul 25, 2024 21:34:09.670195103 CEST	49755	445	192.168.2.7	6.118.192.0
Jul 25, 2024 21:34:09.670278072 CEST	49755	445	192.168.2.7	6.118.192.0
Jul 25, 2024 21:34:09.670543909 CEST	49756	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.675441027 CEST	445	49756	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:09.675570965 CEST	49756	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.675581932 CEST	49756	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.675997019 CEST	445	49755	6.118.192.0	192.168.2.7
Jul 25, 2024 21:34:09.676055908 CEST	49755	445	192.168.2.7	6.118.192.0
Jul 25, 2024 21:34:09.676870108 CEST	49757	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.681875944 CEST	445	49756	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:09.681957006 CEST	49756	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.681996107 CEST	445	49757	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:09.682070971 CEST	49757	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.682132959 CEST	49757	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:09.686995983 CEST	445	49757	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:09.991489887 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:34:11.680619001 CEST	49780	445	192.168.2.7	185.127.160.210
Jul 25, 2024 21:34:11.685602903 CEST	445	49780	185.127.160.210	192.168.2.7
Jul 25, 2024 21:34:11.685687065 CEST	49780	445	192.168.2.7	185.127.160.210
Jul 25, 2024 21:34:11.685765028 CEST	49780	445	192.168.2.7	185.127.160.210
Jul 25, 2024 21:34:11.685976982 CEST	49781	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.690768003 CEST	445	49781	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:11.690833092 CEST	49781	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.690905094 CEST	49781	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.691935062 CEST	49782	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.693026066 CEST	445	49780	185.127.160.210	192.168.2.7
Jul 25, 2024 21:34:11.693078041 CEST	49780	445	192.168.2.7	185.127.160.210
Jul 25, 2024 21:34:11.696737051 CEST	445	49782	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:11.696819067 CEST	49782	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.696858883 CEST	49782	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.697649002 CEST	445	49781	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:11.697707891 CEST	49781	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:11.701622963 CEST	445	49782	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:13.700067043 CEST	49805	445	192.168.2.7	119.225.62.88
Jul 25, 2024 21:34:13.705864906 CEST	445	49805	119.225.62.88	192.168.2.7
Jul 25, 2024 21:34:13.705955029 CEST	49805	445	192.168.2.7	119.225.62.88
Jul 25, 2024 21:34:13.706048012 CEST	49805	445	192.168.2.7	119.225.62.88
Jul 25, 2024 21:34:13.706347942 CEST	49806	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.712241888 CEST	445	49805	119.225.62.88	192.168.2.7
Jul 25, 2024 21:34:13.712281942 CEST	445	49806	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:13.712352037 CEST	49806	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.712439060 CEST	49806	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.715259075 CEST	49807	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.715457916 CEST	445	49805	119.225.62.88	192.168.2.7
Jul 25, 2024 21:34:13.715507030 CEST	49805	445	192.168.2.7	119.225.62.88
Jul 25, 2024 21:34:13.719609976 CEST	445	49806	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:13.720659971 CEST	445	49807	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:13.720726967 CEST	49807	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.720794916 CEST	49807	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.725439072 CEST	445	49806	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:13.725502014 CEST	49806	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:13.728435040 CEST	445	49807	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:15.096786976 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:15.096818924 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:15.096918106 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:15.098731995 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:15.098750114 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:15.635937929 CEST	49698	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:15.641002893 CEST	443	49698	104.98.116.138	192.168.2.7
Jul 25, 2024 21:34:15.704504013 CEST	49829	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:15.704541922 CEST	443	49829	104.98.116.138	192.168.2.7
Jul 25, 2024 21:34:15.704642057 CEST	49829	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:15.719294071 CEST	49830	445	192.168.2.7	36.4.231.47
Jul 25, 2024 21:34:15.724232912 CEST	445	49830	36.4.231.47	192.168.2.7
Jul 25, 2024 21:34:15.726933956 CEST	49830	445	192.168.2.7	36.4.231.47
Jul 25, 2024 21:34:15.727504969 CEST	49830	445	192.168.2.7	36.4.231.47
Jul 25, 2024 21:34:15.727763891 CEST	49831	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.728708029 CEST	49829	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:15.728744030 CEST	443	49829	104.98.116.138	192.168.2.7
Jul 25, 2024 21:34:15.738717079 CEST	445	49831	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:15.738804102 CEST	49831	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.738949060 CEST	49831	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.739522934 CEST	445	49830	36.4.231.47	192.168.2.7
Jul 25, 2024 21:34:15.740365028 CEST	49832	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.748743057 CEST	445	49832	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:15.749377966 CEST	49832	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.749378920 CEST	49832	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.753684998 CEST	445	49831	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:15.756537914 CEST	445	49832	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:15.767616034 CEST	445	49830	36.4.231.47	192.168.2.7
Jul 25, 2024 21:34:15.767709970 CEST	49830	445	192.168.2.7	36.4.231.47
Jul 25, 2024 21:34:15.772726059 CEST	445	49831	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:15.772824049 CEST	49831	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:15.952775002 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:15.952864885 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:15.957145929 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:15.957163095 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:15.957479954 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:16.007117033 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:16.809045076 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:16.852543116 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078659058 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078680992 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078687906 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078700066 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078736067 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078785896 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:17.078833103 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.078851938 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:17.078888893 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:17.087836027 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.087933064 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:17.087941885 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:17.088025093 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:17.730487108 CEST	49857	445	192.168.2.7	199.180.31.91
Jul 25, 2024 21:34:17.932940960 CEST	445	49857	199.180.31.91	192.168.2.7
Jul 25, 2024 21:34:17.933098078 CEST	49857	445	192.168.2.7	199.180.31.91
Jul 25, 2024 21:34:17.981076002 CEST	49857	445	192.168.2.7	199.180.31.91
Jul 25, 2024 21:34:17.981408119 CEST	49861	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:17.986215115 CEST	445	49857	199.180.31.91	192.168.2.7
Jul 25, 2024 21:34:17.986238956 CEST	445	49861	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:17.986367941 CEST	49857	445	192.168.2.7	199.180.31.91
Jul 25, 2024 21:34:17.986438990 CEST	49861	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:17.986641884 CEST	49861	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:17.992292881 CEST	445	49861	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:17.993933916 CEST	49861	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:18.109442949 CEST	49862	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:18.114274979 CEST	445	49862	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:18.114388943 CEST	49862	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:18.118328094 CEST	49862	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:18.123092890 CEST	445	49862	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:18.144620895 CEST	49821	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:18.144659996 CEST	443	49821	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:19.742168903 CEST	49882	445	192.168.2.7	58.57.197.86
Jul 25, 2024 21:34:19.747318983 CEST	445	49882	58.57.197.86	192.168.2.7
Jul 25, 2024 21:34:19.747411966 CEST	49882	445	192.168.2.7	58.57.197.86
Jul 25, 2024 21:34:19.747441053 CEST	49882	445	192.168.2.7	58.57.197.86
Jul 25, 2024 21:34:19.747659922 CEST	49883	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:19.752662897 CEST	445	49883	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:19.752895117 CEST	49883	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:19.752974987 CEST	49883	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:19.753299952 CEST	49884	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:19.758091927 CEST	445	49884	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:19.758181095 CEST	49884	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:19.758214951 CEST	49884	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:19.759362936 CEST	445	49882	58.57.197.86	192.168.2.7
Jul 25, 2024 21:34:19.759377956 CEST	445	49883	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:19.763112068 CEST	445	49884	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:19.804990053 CEST	445	49862	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:19.805063963 CEST	49862	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:19.805103064 CEST	49862	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:19.805140972 CEST	49862	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:19.809900045 CEST	445	49862	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:19.810092926 CEST	445	49862	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:19.868617058 CEST	445	49882	58.57.197.86	192.168.2.7
Jul 25, 2024 21:34:19.870044947 CEST	49882	445	192.168.2.7	58.57.197.86
Jul 25, 2024 21:34:19.885164022 CEST	445	49883	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:19.885363102 CEST	49883	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:21.757917881 CEST	49906	445	192.168.2.7	152.246.44.232
Jul 25, 2024 21:34:21.763077974 CEST	445	49906	152.246.44.232	192.168.2.7
Jul 25, 2024 21:34:21.763194084 CEST	49906	445	192.168.2.7	152.246.44.232
Jul 25, 2024 21:34:21.763233900 CEST	49906	445	192.168.2.7	152.246.44.232
Jul 25, 2024 21:34:21.763326883 CEST	49907	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.768374920 CEST	445	49907	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:21.768455029 CEST	49907	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.768471956 CEST	49907	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.768737078 CEST	49908	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.769280910 CEST	445	49906	152.246.44.232	192.168.2.7
Jul 25, 2024 21:34:21.769351006 CEST	49906	445	192.168.2.7	152.246.44.232
Jul 25, 2024 21:34:21.773550034 CEST	445	49908	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:21.773617983 CEST	49908	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.773649931 CEST	49908	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.774135113 CEST	445	49907	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:21.774193048 CEST	49907	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:21.779175043 CEST	445	49908	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:21.897855997 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 21:34:22.820127010 CEST	49919	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:22.825028896 CEST	445	49919	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:22.825180054 CEST	49919	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:22.825362921 CEST	49919	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:22.830121994 CEST	445	49919	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:23.773487091 CEST	49930	445	192.168.2.7	185.124.94.222
Jul 25, 2024 21:34:23.778702021 CEST	445	49930	185.124.94.222	192.168.2.7
Jul 25, 2024 21:34:23.778794050 CEST	49930	445	192.168.2.7	185.124.94.222
Jul 25, 2024 21:34:23.778856039 CEST	49930	445	192.168.2.7	185.124.94.222
Jul 25, 2024 21:34:23.778955936 CEST	49931	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.784313917 CEST	445	49931	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:23.784380913 CEST	49931	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.784390926 CEST	49931	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.784650087 CEST	49932	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.785125971 CEST	445	49930	185.124.94.222	192.168.2.7
Jul 25, 2024 21:34:23.785181999 CEST	49930	445	192.168.2.7	185.124.94.222
Jul 25, 2024 21:34:23.789597034 CEST	445	49932	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:23.789659977 CEST	49932	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.789685011 CEST	49932	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.790986061 CEST	445	49931	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:23.791034937 CEST	49931	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:23.794754982 CEST	445	49932	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:24.443569899 CEST	445	49919	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:24.443691969 CEST	49919	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:24.443712950 CEST	49919	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:24.443751097 CEST	49919	445	192.168.2.7	199.180.31.1
Jul 25, 2024 21:34:24.448662996 CEST	445	49919	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:24.448687077 CEST	445	49919	199.180.31.1	192.168.2.7
Jul 25, 2024 21:34:24.507422924 CEST	49940	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.515492916 CEST	445	49940	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:24.515602112 CEST	49940	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.515672922 CEST	49940	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.516030073 CEST	49941	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.521862984 CEST	445	49941	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:24.521929026 CEST	49941	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.521982908 CEST	49941	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.523327112 CEST	445	49940	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:24.523386002 CEST	49940	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:24.529334068 CEST	445	49941	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:25.789309978 CEST	49956	445	192.168.2.7	202.230.132.72
Jul 25, 2024 21:34:25.794668913 CEST	445	49956	202.230.132.72	192.168.2.7
Jul 25, 2024 21:34:25.794833899 CEST	49956	445	192.168.2.7	202.230.132.72
Jul 25, 2024 21:34:25.794857979 CEST	49956	445	192.168.2.7	202.230.132.72
Jul 25, 2024 21:34:25.795078993 CEST	49957	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.799927950 CEST	445	49957	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:25.800004005 CEST	49957	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.800004005 CEST	49957	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.800271988 CEST	49958	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.801620007 CEST	445	49956	202.230.132.72	192.168.2.7
Jul 25, 2024 21:34:25.801690102 CEST	49956	445	192.168.2.7	202.230.132.72
Jul 25, 2024 21:34:25.805327892 CEST	445	49958	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:25.805402994 CEST	49958	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.805428028 CEST	49958	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.806658983 CEST	445	49957	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:25.806718111 CEST	49957	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:25.810492992 CEST	445	49958	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:27.068595886 CEST	445	49707	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:27.068809032 CEST	49707	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:27.068809032 CEST	49707	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:27.068873882 CEST	49707	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:27.073745012 CEST	445	49707	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:27.073810101 CEST	445	49707	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:27.804749012 CEST	49981	445	192.168.2.7	69.235.55.242
Jul 25, 2024 21:34:27.814795971 CEST	445	49981	69.235.55.242	192.168.2.7
Jul 25, 2024 21:34:27.814913034 CEST	49981	445	192.168.2.7	69.235.55.242
Jul 25, 2024 21:34:27.814960003 CEST	49981	445	192.168.2.7	69.235.55.242
Jul 25, 2024 21:34:27.815210104 CEST	49982	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.820234060 CEST	445	49982	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:27.820318937 CEST	49982	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.820348024 CEST	49982	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.820650101 CEST	49983	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.822278023 CEST	445	49981	69.235.55.242	192.168.2.7
Jul 25, 2024 21:34:27.822356939 CEST	49981	445	192.168.2.7	69.235.55.242
Jul 25, 2024 21:34:27.825479984 CEST	445	49983	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:27.825542927 CEST	49983	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.825563908 CEST	49983	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.826822996 CEST	445	49982	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:27.826870918 CEST	49982	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:27.830641985 CEST	445	49983	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:29.074650049 CEST	445	49732	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:29.074814081 CEST	49732	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:29.074814081 CEST	49732	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:29.074870110 CEST	49732	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:29.081199884 CEST	445	49732	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:29.081217051 CEST	445	49732	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:29.824479103 CEST	50004	445	192.168.2.7	199.207.38.47
Jul 25, 2024 21:34:29.834564924 CEST	445	50004	199.207.38.47	192.168.2.7
Jul 25, 2024 21:34:29.834640026 CEST	50004	445	192.168.2.7	199.207.38.47
Jul 25, 2024 21:34:29.836991072 CEST	50004	445	192.168.2.7	199.207.38.47
Jul 25, 2024 21:34:29.837178946 CEST	50005	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.842730999 CEST	445	50005	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:29.842808962 CEST	50005	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.843044043 CEST	445	50004	199.207.38.47	192.168.2.7
Jul 25, 2024 21:34:29.843101025 CEST	50004	445	192.168.2.7	199.207.38.47
Jul 25, 2024 21:34:29.845139980 CEST	50005	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.854166031 CEST	445	50005	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:29.862430096 CEST	445	50005	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:29.862505913 CEST	50005	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.863843918 CEST	50006	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.869477034 CEST	445	50006	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:29.869539022 CEST	50006	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.870179892 CEST	50006	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:29.875475883 CEST	445	50006	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:30.069924116 CEST	50010	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:30.075943947 CEST	445	50010	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:30.076040030 CEST	50010	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:30.078803062 CEST	50010	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:30.083893061 CEST	445	50010	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:31.036318064 CEST	445	49757	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:31.036422014 CEST	49757	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:31.037178993 CEST	49757	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:31.037455082 CEST	49757	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:31.043910980 CEST	445	49757	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:31.043967009 CEST	445	49757	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:31.835969925 CEST	50011	445	192.168.2.7	210.44.60.232
Jul 25, 2024 21:34:31.841244936 CEST	445	50011	210.44.60.232	192.168.2.7
Jul 25, 2024 21:34:31.841367960 CEST	50011	445	192.168.2.7	210.44.60.232
Jul 25, 2024 21:34:31.841367960 CEST	50011	445	192.168.2.7	210.44.60.232
Jul 25, 2024 21:34:31.841495991 CEST	50012	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.846411943 CEST	445	50012	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:31.846502066 CEST	50012	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.846535921 CEST	50012	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.846867085 CEST	50013	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.847265005 CEST	445	50011	210.44.60.232	192.168.2.7
Jul 25, 2024 21:34:31.847335100 CEST	50011	445	192.168.2.7	210.44.60.232
Jul 25, 2024 21:34:31.852139950 CEST	445	50012	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:31.852431059 CEST	445	50013	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:31.852519035 CEST	50013	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.852521896 CEST	50012	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.852552891 CEST	50013	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:31.857458115 CEST	445	50013	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:32.085628033 CEST	50014	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:32.090688944 CEST	445	50014	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:32.090823889 CEST	50014	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:32.090909004 CEST	50014	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:32.096251965 CEST	445	50014	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:33.067884922 CEST	445	49782	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:33.068044901 CEST	49782	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:33.068188906 CEST	49782	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:33.068319082 CEST	49782	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:33.073153973 CEST	445	49782	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:33.073683977 CEST	445	49782	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:33.851540089 CEST	50015	445	192.168.2.7	188.219.99.197
Jul 25, 2024 21:34:33.856724977 CEST	445	50015	188.219.99.197	192.168.2.7
Jul 25, 2024 21:34:33.856838942 CEST	50015	445	192.168.2.7	188.219.99.197
Jul 25, 2024 21:34:33.856858969 CEST	50015	445	192.168.2.7	188.219.99.197
Jul 25, 2024 21:34:33.856981993 CEST	50016	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.861903906 CEST	445	50016	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:33.862004042 CEST	50016	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.862004042 CEST	50016	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.862246037 CEST	50017	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.863850117 CEST	445	50015	188.219.99.197	192.168.2.7
Jul 25, 2024 21:34:33.864577055 CEST	445	50015	188.219.99.197	192.168.2.7
Jul 25, 2024 21:34:33.864643097 CEST	50015	445	192.168.2.7	188.219.99.197
Jul 25, 2024 21:34:33.868063927 CEST	445	50017	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:33.868139029 CEST	50017	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.868160963 CEST	50017	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.868974924 CEST	445	50016	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:33.869043112 CEST	50016	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:33.873260975 CEST	445	50017	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:34.038999081 CEST	50018	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:34.044542074 CEST	445	50018	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:34.044723034 CEST	50018	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:34.044893026 CEST	50018	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:34.050143003 CEST	445	50018	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:35.117918968 CEST	445	49807	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:35.118027925 CEST	49807	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:35.118108034 CEST	49807	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:35.118206024 CEST	49807	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:35.123080969 CEST	445	49807	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:35.123111010 CEST	445	49807	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:35.650484085 CEST	445	50017	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:35.650696993 CEST	50017	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:35.650696993 CEST	50017	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:35.650732994 CEST	50017	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:35.655555964 CEST	445	50017	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:35.656586885 CEST	445	50017	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:35.867202997 CEST	50019	445	192.168.2.7	100.100.254.107
Jul 25, 2024 21:34:35.872312069 CEST	445	50019	100.100.254.107	192.168.2.7
Jul 25, 2024 21:34:35.872448921 CEST	50019	445	192.168.2.7	100.100.254.107
Jul 25, 2024 21:34:35.872539997 CEST	50019	445	192.168.2.7	100.100.254.107
Jul 25, 2024 21:34:35.872813940 CEST	50020	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.883085012 CEST	445	50020	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:35.883177996 CEST	50020	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.883214951 CEST	50020	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.883414984 CEST	445	50019	100.100.254.107	192.168.2.7
Jul 25, 2024 21:34:35.883519888 CEST	50021	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.884031057 CEST	445	50019	100.100.254.107	192.168.2.7
Jul 25, 2024 21:34:35.884098053 CEST	50019	445	192.168.2.7	100.100.254.107
Jul 25, 2024 21:34:35.891547918 CEST	445	50021	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:35.891657114 CEST	50021	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.891700029 CEST	50021	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.893104076 CEST	445	50020	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:35.893167019 CEST	50020	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:35.896493912 CEST	445	50021	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:36.070420027 CEST	50022	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:36.322211027 CEST	445	50022	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:36.322390079 CEST	50022	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:36.322463036 CEST	50022	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:36.334688902 CEST	445	50022	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:37.170016050 CEST	445	49832	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:37.170149088 CEST	49832	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:37.170340061 CEST	49832	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:37.170399904 CEST	49832	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:37.186709881 CEST	445	49832	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:37.186768055 CEST	445	49832	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:37.882663012 CEST	50023	445	192.168.2.7	94.16.11.61
Jul 25, 2024 21:34:37.887876987 CEST	445	50023	94.16.11.61	192.168.2.7
Jul 25, 2024 21:34:37.887967110 CEST	50023	445	192.168.2.7	94.16.11.61
Jul 25, 2024 21:34:37.888016939 CEST	50023	445	192.168.2.7	94.16.11.61
Jul 25, 2024 21:34:37.888205051 CEST	50024	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.893490076 CEST	445	50024	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:37.893569946 CEST	50024	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.893656015 CEST	50024	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.893970966 CEST	50025	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.894269943 CEST	445	50023	94.16.11.61	192.168.2.7
Jul 25, 2024 21:34:37.894325018 CEST	50023	445	192.168.2.7	94.16.11.61
Jul 25, 2024 21:34:37.898895979 CEST	445	50025	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:37.898969889 CEST	50025	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.899003983 CEST	50025	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.899254084 CEST	445	50024	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:37.899306059 CEST	50024	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:37.904090881 CEST	445	50025	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:38.132724047 CEST	50026	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:38.137912989 CEST	445	50026	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:38.138046980 CEST	50026	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:38.138125896 CEST	50026	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:38.142993927 CEST	445	50026	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:38.663676977 CEST	50027	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:38.668776035 CEST	445	50027	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:38.668865919 CEST	50027	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:38.668930054 CEST	50027	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:38.673810005 CEST	445	50027	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:39.898593903 CEST	50028	445	192.168.2.7	16.68.196.149
Jul 25, 2024 21:34:39.904087067 CEST	445	50028	16.68.196.149	192.168.2.7
Jul 25, 2024 21:34:39.904298067 CEST	50028	445	192.168.2.7	16.68.196.149
Jul 25, 2024 21:34:39.904361010 CEST	50028	445	192.168.2.7	16.68.196.149
Jul 25, 2024 21:34:39.904937029 CEST	50029	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.913279057 CEST	445	50029	16.68.196.1	192.168.2.7
Jul 25, 2024 21:34:39.913392067 CEST	445	50028	16.68.196.149	192.168.2.7
Jul 25, 2024 21:34:39.913422108 CEST	50029	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.913523912 CEST	50028	445	192.168.2.7	16.68.196.149
Jul 25, 2024 21:34:39.913578987 CEST	50029	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.913918018 CEST	50030	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.919164896 CEST	445	50030	16.68.196.1	192.168.2.7
Jul 25, 2024 21:34:39.919300079 CEST	50030	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.919300079 CEST	50030	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.919358015 CEST	445	50029	16.68.196.1	192.168.2.7
Jul 25, 2024 21:34:39.922564030 CEST	445	50029	16.68.196.1	192.168.2.7
Jul 25, 2024 21:34:39.922744036 CEST	50029	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:34:39.924967051 CEST	445	50030	16.68.196.1	192.168.2.7
Jul 25, 2024 21:34:40.179709911 CEST	50031	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:40.185312986 CEST	445	50031	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:40.185569048 CEST	50031	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:40.185925007 CEST	50031	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:34:40.191277981 CEST	445	50031	36.4.231.1	192.168.2.7
Jul 25, 2024 21:34:40.492229939 CEST	445	50027	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:40.492343903 CEST	50027	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:40.492384911 CEST	50027	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:40.492418051 CEST	50027	445	192.168.2.7	188.219.99.1
Jul 25, 2024 21:34:40.497278929 CEST	445	50027	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:40.497780085 CEST	445	50027	188.219.99.1	192.168.2.7
Jul 25, 2024 21:34:40.554586887 CEST	50032	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.573379040 CEST	445	50032	188.219.99.2	192.168.2.7
Jul 25, 2024 21:34:40.573513985 CEST	50032	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.573513985 CEST	50032	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.574018002 CEST	50033	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.580713987 CEST	445	50033	188.219.99.2	192.168.2.7
Jul 25, 2024 21:34:40.580790043 CEST	50033	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.580874920 CEST	50033	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.583208084 CEST	445	50032	188.219.99.2	192.168.2.7
Jul 25, 2024 21:34:40.583267927 CEST	50032	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:34:40.585767984 CEST	445	50033	188.219.99.2	192.168.2.7
Jul 25, 2024 21:34:41.245109081 CEST	445	49884	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:41.245223045 CEST	49884	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:41.245223045 CEST	49884	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:41.245413065 CEST	49884	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:41.250073910 CEST	445	49884	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:41.250314951 CEST	445	49884	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:41.773601055 CEST	50034	445	192.168.2.7	90.64.160.42
Jul 25, 2024 21:34:41.779320002 CEST	445	50034	90.64.160.42	192.168.2.7
Jul 25, 2024 21:34:41.779445887 CEST	50034	445	192.168.2.7	90.64.160.42
Jul 25, 2024 21:34:41.779481888 CEST	50034	445	192.168.2.7	90.64.160.42
Jul 25, 2024 21:34:41.779720068 CEST	50035	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.785001993 CEST	445	50035	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:41.785090923 CEST	50035	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.785128117 CEST	50035	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.785466909 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.786186934 CEST	445	50034	90.64.160.42	192.168.2.7
Jul 25, 2024 21:34:41.786303043 CEST	50034	445	192.168.2.7	90.64.160.42
Jul 25, 2024 21:34:41.790656090 CEST	445	50036	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:41.790741920 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.790807009 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.791301966 CEST	445	50035	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:41.792095900 CEST	445	50035	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:41.792152882 CEST	50035	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:41.796293974 CEST	445	50036	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:43.154119968 CEST	445	49908	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:43.154293060 CEST	49908	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:43.154340982 CEST	49908	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:43.154393911 CEST	49908	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:43.159307957 CEST	445	49908	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:43.159332037 CEST	445	49908	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:43.523783922 CEST	50037	445	192.168.2.7	4.84.89.125
Jul 25, 2024 21:34:43.554883957 CEST	445	50037	4.84.89.125	192.168.2.7
Jul 25, 2024 21:34:43.555130005 CEST	50037	445	192.168.2.7	4.84.89.125
Jul 25, 2024 21:34:43.573055983 CEST	50037	445	192.168.2.7	4.84.89.125
Jul 25, 2024 21:34:43.573273897 CEST	50038	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.579821110 CEST	445	50038	4.84.89.1	192.168.2.7
Jul 25, 2024 21:34:43.579981089 CEST	50038	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.579981089 CEST	50038	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.580328941 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.584945917 CEST	445	50037	4.84.89.125	192.168.2.7
Jul 25, 2024 21:34:43.585342884 CEST	50037	445	192.168.2.7	4.84.89.125
Jul 25, 2024 21:34:43.595386982 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:34:43.595426083 CEST	445	50038	4.84.89.1	192.168.2.7
Jul 25, 2024 21:34:43.595518112 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.598095894 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.599647999 CEST	445	50038	4.84.89.1	192.168.2.7
Jul 25, 2024 21:34:43.599715948 CEST	50038	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:34:43.603722095 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:34:43.860816956 CEST	445	50036	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:43.860985041 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:43.861939907 CEST	445	50036	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:43.861996889 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:43.862453938 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:43.862515926 CEST	50036	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:43.867297888 CEST	445	50036	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:43.867532015 CEST	445	50036	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:44.258150101 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:44.263456106 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:44.263607979 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:44.263652086 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:34:44.268946886 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:34:45.164073944 CEST	50041	445	192.168.2.7	95.210.118.170
Jul 25, 2024 21:34:45.169315100 CEST	445	50041	95.210.118.170	192.168.2.7
Jul 25, 2024 21:34:45.169420004 CEST	50041	445	192.168.2.7	95.210.118.170
Jul 25, 2024 21:34:45.169441938 CEST	50041	445	192.168.2.7	95.210.118.170
Jul 25, 2024 21:34:45.169537067 CEST	50042	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.176145077 CEST	445	50042	95.210.118.1	192.168.2.7
Jul 25, 2024 21:34:45.176249981 CEST	50042	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.176286936 CEST	50042	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.176640034 CEST	50043	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.176722050 CEST	445	50041	95.210.118.170	192.168.2.7
Jul 25, 2024 21:34:45.176779985 CEST	50041	445	192.168.2.7	95.210.118.170
Jul 25, 2024 21:34:45.184185982 CEST	445	50043	95.210.118.1	192.168.2.7
Jul 25, 2024 21:34:45.184252977 CEST	50043	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.184287071 CEST	50043	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.189451933 CEST	445	50042	95.210.118.1	192.168.2.7
Jul 25, 2024 21:34:45.189503908 CEST	50042	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:34:45.189857006 CEST	445	50043	95.210.118.1	192.168.2.7
Jul 25, 2024 21:34:45.197597027 CEST	445	49932	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:45.197654963 CEST	49932	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:45.197685003 CEST	49932	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:45.197724104 CEST	49932	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:45.204170942 CEST	445	49932	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:45.204240084 CEST	445	49932	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:45.897361994 CEST	445	49941	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:45.897722006 CEST	49941	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:45.897722006 CEST	49941	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:45.897768974 CEST	49941	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:45.902565956 CEST	445	49941	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:45.902924061 CEST	445	49941	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:46.164098978 CEST	50044	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:46.169275999 CEST	445	50044	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:46.169404984 CEST	50044	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:46.174674034 CEST	50044	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:34:46.180095911 CEST	445	50044	152.246.44.1	192.168.2.7
Jul 25, 2024 21:34:46.695390940 CEST	50045	445	192.168.2.7	136.185.8.192
Jul 25, 2024 21:34:46.700402975 CEST	445	50045	136.185.8.192	192.168.2.7
Jul 25, 2024 21:34:46.700504065 CEST	50045	445	192.168.2.7	136.185.8.192
Jul 25, 2024 21:34:46.700519085 CEST	50045	445	192.168.2.7	136.185.8.192
Jul 25, 2024 21:34:46.700716972 CEST	50046	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.707416058 CEST	445	50045	136.185.8.192	192.168.2.7
Jul 25, 2024 21:34:46.707478046 CEST	445	50046	136.185.8.1	192.168.2.7
Jul 25, 2024 21:34:46.707567930 CEST	50046	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.707660913 CEST	50046	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.707986116 CEST	50047	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.709034920 CEST	445	50045	136.185.8.192	192.168.2.7
Jul 25, 2024 21:34:46.709106922 CEST	50045	445	192.168.2.7	136.185.8.192
Jul 25, 2024 21:34:46.714940071 CEST	445	50047	136.185.8.1	192.168.2.7
Jul 25, 2024 21:34:46.715039015 CEST	50047	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.715070963 CEST	50047	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.715576887 CEST	445	50046	136.185.8.1	192.168.2.7
Jul 25, 2024 21:34:46.715640068 CEST	50046	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:34:46.720114946 CEST	445	50047	136.185.8.1	192.168.2.7
Jul 25, 2024 21:34:46.867008924 CEST	50048	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:46.872838020 CEST	445	50048	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:46.872972012 CEST	50048	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:46.873019934 CEST	50048	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:46.878456116 CEST	445	50048	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:47.199251890 CEST	445	49958	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:47.199331999 CEST	49958	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:47.199388027 CEST	49958	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:47.199410915 CEST	49958	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:47.204242945 CEST	445	49958	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:47.204265118 CEST	445	49958	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:48.119435072 CEST	50049	445	192.168.2.7	68.75.152.100
Jul 25, 2024 21:34:48.124749899 CEST	445	50049	68.75.152.100	192.168.2.7
Jul 25, 2024 21:34:48.124859095 CEST	50049	445	192.168.2.7	68.75.152.100
Jul 25, 2024 21:34:48.124979973 CEST	50049	445	192.168.2.7	68.75.152.100
Jul 25, 2024 21:34:48.125163078 CEST	50050	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.130201101 CEST	445	50050	68.75.152.1	192.168.2.7
Jul 25, 2024 21:34:48.130276918 CEST	50050	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.131400108 CEST	445	50049	68.75.152.100	192.168.2.7
Jul 25, 2024 21:34:48.131757021 CEST	445	50049	68.75.152.100	192.168.2.7
Jul 25, 2024 21:34:48.131808996 CEST	50049	445	192.168.2.7	68.75.152.100
Jul 25, 2024 21:34:48.134413958 CEST	50050	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.139662981 CEST	445	50050	68.75.152.1	192.168.2.7
Jul 25, 2024 21:34:48.139740944 CEST	50050	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.177685976 CEST	50051	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.182871103 CEST	445	50051	68.75.152.1	192.168.2.7
Jul 25, 2024 21:34:48.183001995 CEST	50051	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.184791088 CEST	50051	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:34:48.189721107 CEST	445	50051	68.75.152.1	192.168.2.7
Jul 25, 2024 21:34:48.273468018 CEST	50052	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:48.279035091 CEST	445	50052	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:48.279131889 CEST	50052	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:48.279165983 CEST	50052	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:34:48.284981966 CEST	445	50052	185.124.94.1	192.168.2.7
Jul 25, 2024 21:34:48.610488892 CEST	445	50048	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:48.610577106 CEST	50048	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:48.610622883 CEST	50048	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:48.610666037 CEST	50048	445	192.168.2.7	90.64.160.1
Jul 25, 2024 21:34:48.615560055 CEST	445	50048	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:48.615602970 CEST	445	50048	90.64.160.1	192.168.2.7
Jul 25, 2024 21:34:48.663779974 CEST	50053	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.668634892 CEST	445	50053	90.64.160.2	192.168.2.7
Jul 25, 2024 21:34:48.668725014 CEST	50053	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.668740988 CEST	50053	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.669048071 CEST	50054	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.674199104 CEST	445	50054	90.64.160.2	192.168.2.7
Jul 25, 2024 21:34:48.674263000 CEST	50054	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.674273014 CEST	50054	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.674877882 CEST	445	50053	90.64.160.2	192.168.2.7
Jul 25, 2024 21:34:48.674921989 CEST	50053	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:34:48.679133892 CEST	445	50054	90.64.160.2	192.168.2.7
Jul 25, 2024 21:34:48.898260117 CEST	50055	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:48.907736063 CEST	445	50055	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:48.907871962 CEST	50055	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:48.907912016 CEST	50055	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:34:48.912959099 CEST	445	50055	199.180.31.2	192.168.2.7
Jul 25, 2024 21:34:49.228432894 CEST	445	49983	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:49.228593111 CEST	49983	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:49.228626966 CEST	49983	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:49.228650093 CEST	49983	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:49.233695030 CEST	445	49983	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:49.233727932 CEST	445	49983	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:49.445312023 CEST	50056	445	192.168.2.7	80.67.170.143
Jul 25, 2024 21:34:49.450973988 CEST	445	50056	80.67.170.143	192.168.2.7
Jul 25, 2024 21:34:49.451124907 CEST	50056	445	192.168.2.7	80.67.170.143
Jul 25, 2024 21:34:49.451154947 CEST	50056	445	192.168.2.7	80.67.170.143
Jul 25, 2024 21:34:49.451263905 CEST	50057	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.458817005 CEST	445	50057	80.67.170.1	192.168.2.7
Jul 25, 2024 21:34:49.458905935 CEST	50057	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.458940029 CEST	50057	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.459234953 CEST	50058	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.459547997 CEST	445	50056	80.67.170.143	192.168.2.7
Jul 25, 2024 21:34:49.461355925 CEST	445	50056	80.67.170.143	192.168.2.7
Jul 25, 2024 21:34:49.461425066 CEST	50056	445	192.168.2.7	80.67.170.143
Jul 25, 2024 21:34:49.464241028 CEST	445	50058	80.67.170.1	192.168.2.7
Jul 25, 2024 21:34:49.464323044 CEST	50058	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.464380026 CEST	50058	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.464833021 CEST	445	50057	80.67.170.1	192.168.2.7
Jul 25, 2024 21:34:49.464881897 CEST	50057	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:34:49.469329119 CEST	445	50058	80.67.170.1	192.168.2.7
Jul 25, 2024 21:34:50.214639902 CEST	50059	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:50.219563961 CEST	445	50059	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:50.219635963 CEST	50059	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:50.219665051 CEST	50059	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:34:50.224479914 CEST	445	50059	202.230.132.1	192.168.2.7
Jul 25, 2024 21:34:50.683052063 CEST	50060	445	192.168.2.7	161.221.47.44
Jul 25, 2024 21:34:50.688189030 CEST	445	50060	161.221.47.44	192.168.2.7
Jul 25, 2024 21:34:50.688503981 CEST	50060	445	192.168.2.7	161.221.47.44
Jul 25, 2024 21:34:50.701298952 CEST	50060	445	192.168.2.7	161.221.47.44
Jul 25, 2024 21:34:50.701517105 CEST	50061	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.706438065 CEST	445	50061	161.221.47.1	192.168.2.7
Jul 25, 2024 21:34:50.706541061 CEST	50061	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.706577063 CEST	50061	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.706625938 CEST	445	50060	161.221.47.44	192.168.2.7
Jul 25, 2024 21:34:50.706758976 CEST	50060	445	192.168.2.7	161.221.47.44
Jul 25, 2024 21:34:50.706944942 CEST	50062	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.712419033 CEST	445	50061	161.221.47.1	192.168.2.7
Jul 25, 2024 21:34:50.712507010 CEST	50061	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.712691069 CEST	445	50062	161.221.47.1	192.168.2.7
Jul 25, 2024 21:34:50.712757111 CEST	50062	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.720829010 CEST	50062	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:34:50.725806952 CEST	445	50062	161.221.47.1	192.168.2.7
Jul 25, 2024 21:34:51.279762030 CEST	445	50006	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:51.279876947 CEST	50006	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:51.280057907 CEST	50006	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:51.280057907 CEST	50006	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:51.285207987 CEST	445	50006	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:51.285578012 CEST	445	50006	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:51.457420111 CEST	445	50010	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:51.457555056 CEST	50010	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:51.457668066 CEST	50010	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:51.457668066 CEST	50010	445	192.168.2.7	64.16.93.1
Jul 25, 2024 21:34:51.462675095 CEST	445	50010	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:51.463017941 CEST	445	50010	64.16.93.1	192.168.2.7
Jul 25, 2024 21:34:51.523251057 CEST	50063	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.528362036 CEST	445	50063	64.16.93.2	192.168.2.7
Jul 25, 2024 21:34:51.528472900 CEST	50063	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.528516054 CEST	50063	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.528918982 CEST	50064	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.534387112 CEST	445	50064	64.16.93.2	192.168.2.7
Jul 25, 2024 21:34:51.534486055 CEST	50064	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.534486055 CEST	50064	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.534835100 CEST	445	50063	64.16.93.2	192.168.2.7
Jul 25, 2024 21:34:51.534892082 CEST	50063	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:34:51.539628983 CEST	445	50064	64.16.93.2	192.168.2.7
Jul 25, 2024 21:34:51.836136103 CEST	50065	445	192.168.2.7	99.44.247.176
Jul 25, 2024 21:34:51.841314077 CEST	445	50065	99.44.247.176	192.168.2.7
Jul 25, 2024 21:34:51.841545105 CEST	50065	445	192.168.2.7	99.44.247.176
Jul 25, 2024 21:34:51.841661930 CEST	50065	445	192.168.2.7	99.44.247.176
Jul 25, 2024 21:34:51.841661930 CEST	50066	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.849049091 CEST	445	50066	99.44.247.1	192.168.2.7
Jul 25, 2024 21:34:51.849237919 CEST	50066	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.849292040 CEST	50066	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.850229025 CEST	50067	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.855271101 CEST	445	50067	99.44.247.1	192.168.2.7
Jul 25, 2024 21:34:51.855453968 CEST	50067	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.855532885 CEST	50067	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.855833054 CEST	445	50066	99.44.247.1	192.168.2.7
Jul 25, 2024 21:34:51.856093884 CEST	445	50065	99.44.247.176	192.168.2.7
Jul 25, 2024 21:34:51.857984066 CEST	445	50065	99.44.247.176	192.168.2.7
Jul 25, 2024 21:34:51.858078957 CEST	50065	445	192.168.2.7	99.44.247.176
Jul 25, 2024 21:34:51.859045029 CEST	445	50066	99.44.247.1	192.168.2.7
Jul 25, 2024 21:34:51.859133959 CEST	50066	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:34:51.860641003 CEST	445	50067	99.44.247.1	192.168.2.7
Jul 25, 2024 21:34:52.242039919 CEST	50068	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:52.250739098 CEST	445	50068	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:52.250878096 CEST	50068	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:52.250925064 CEST	50068	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:34:52.256728888 CEST	445	50068	69.235.55.1	192.168.2.7
Jul 25, 2024 21:34:52.914155006 CEST	50069	445	192.168.2.7	95.43.108.164
Jul 25, 2024 21:34:52.919502974 CEST	445	50069	95.43.108.164	192.168.2.7
Jul 25, 2024 21:34:52.919590950 CEST	50069	445	192.168.2.7	95.43.108.164
Jul 25, 2024 21:34:52.919678926 CEST	50069	445	192.168.2.7	95.43.108.164
Jul 25, 2024 21:34:52.919847012 CEST	50070	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.924678087 CEST	445	50070	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:52.924740076 CEST	50070	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.924777031 CEST	50070	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.925052881 CEST	50071	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.925218105 CEST	445	50069	95.43.108.164	192.168.2.7
Jul 25, 2024 21:34:52.925277948 CEST	50069	445	192.168.2.7	95.43.108.164
Jul 25, 2024 21:34:52.930192947 CEST	445	50071	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:52.930202961 CEST	445	50070	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:52.930260897 CEST	50070	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.930282116 CEST	50071	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.930331945 CEST	50071	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:52.935244083 CEST	445	50071	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:53.245033979 CEST	445	50013	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:53.245170116 CEST	50013	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:53.245170116 CEST	50013	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:53.245266914 CEST	50013	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:53.250284910 CEST	445	50013	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:53.250384092 CEST	445	50013	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:53.463709116 CEST	445	50014	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:53.463864088 CEST	50014	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:53.463922024 CEST	50014	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:53.463983059 CEST	50014	445	192.168.2.7	10.54.96.1
Jul 25, 2024 21:34:53.468900919 CEST	445	50014	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:53.468931913 CEST	445	50014	10.54.96.1	192.168.2.7
Jul 25, 2024 21:34:53.523550034 CEST	50072	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.529083014 CEST	445	50072	10.54.96.2	192.168.2.7
Jul 25, 2024 21:34:53.529206991 CEST	50072	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.529234886 CEST	50072	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.529639959 CEST	50073	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.534549952 CEST	445	50073	10.54.96.2	192.168.2.7
Jul 25, 2024 21:34:53.534622908 CEST	50073	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.534660101 CEST	50073	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.535367012 CEST	445	50072	10.54.96.2	192.168.2.7
Jul 25, 2024 21:34:53.535732031 CEST	445	50072	10.54.96.2	192.168.2.7
Jul 25, 2024 21:34:53.535788059 CEST	50072	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:34:53.543585062 CEST	445	50073	10.54.96.2	192.168.2.7
Jul 25, 2024 21:34:53.929807901 CEST	50074	445	192.168.2.7	162.84.231.192
Jul 25, 2024 21:34:53.938508034 CEST	445	50074	162.84.231.192	192.168.2.7
Jul 25, 2024 21:34:53.938735008 CEST	50074	445	192.168.2.7	162.84.231.192
Jul 25, 2024 21:34:53.938807011 CEST	50074	445	192.168.2.7	162.84.231.192
Jul 25, 2024 21:34:53.938985109 CEST	50075	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.945518017 CEST	445	50075	162.84.231.1	192.168.2.7
Jul 25, 2024 21:34:53.945612907 CEST	50075	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.945647955 CEST	50075	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.945878029 CEST	445	50074	162.84.231.192	192.168.2.7
Jul 25, 2024 21:34:53.945950031 CEST	50074	445	192.168.2.7	162.84.231.192
Jul 25, 2024 21:34:53.946021080 CEST	50076	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.952111959 CEST	445	50076	162.84.231.1	192.168.2.7
Jul 25, 2024 21:34:53.952143908 CEST	445	50075	162.84.231.1	192.168.2.7
Jul 25, 2024 21:34:53.952172041 CEST	445	50075	162.84.231.1	192.168.2.7
Jul 25, 2024 21:34:53.952205896 CEST	50076	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.952233076 CEST	50075	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.952279091 CEST	50076	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:34:53.958549023 CEST	445	50076	162.84.231.1	192.168.2.7
Jul 25, 2024 21:34:54.288997889 CEST	50077	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:54.299882889 CEST	445	50077	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:54.300024986 CEST	50077	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:54.300024986 CEST	50077	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:34:54.306215048 CEST	445	50077	199.207.38.1	192.168.2.7
Jul 25, 2024 21:34:54.653789997 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:54.653858900 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:54.654129982 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:54.654377937 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:54.654412031 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:54.729368925 CEST	445	50071	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:54.729628086 CEST	50071	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:54.729628086 CEST	50071	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:54.729629040 CEST	50071	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:54.734719992 CEST	445	50071	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:54.734778881 CEST	445	50071	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:54.867645979 CEST	50079	445	192.168.2.7	2.251.193.160
Jul 25, 2024 21:34:54.873378992 CEST	445	50079	2.251.193.160	192.168.2.7
Jul 25, 2024 21:34:54.873660088 CEST	50079	445	192.168.2.7	2.251.193.160
Jul 25, 2024 21:34:54.873735905 CEST	50079	445	192.168.2.7	2.251.193.160
Jul 25, 2024 21:34:54.874026060 CEST	50080	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.879009962 CEST	445	50080	2.251.193.1	192.168.2.7
Jul 25, 2024 21:34:54.879113913 CEST	50080	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.879237890 CEST	50080	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.879570961 CEST	445	50079	2.251.193.160	192.168.2.7
Jul 25, 2024 21:34:54.879755020 CEST	50081	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.879856110 CEST	445	50079	2.251.193.160	192.168.2.7
Jul 25, 2024 21:34:54.879936934 CEST	50079	445	192.168.2.7	2.251.193.160
Jul 25, 2024 21:34:54.884691954 CEST	445	50080	2.251.193.1	192.168.2.7
Jul 25, 2024 21:34:54.884744883 CEST	445	50081	2.251.193.1	192.168.2.7
Jul 25, 2024 21:34:54.884803057 CEST	50080	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.884921074 CEST	50081	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.884939909 CEST	50081	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:34:54.889885902 CEST	445	50081	2.251.193.1	192.168.2.7
Jul 25, 2024 21:34:55.413064957 CEST	445	50018	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:55.413141012 CEST	50018	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:55.413178921 CEST	50018	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:55.413238049 CEST	50018	445	192.168.2.7	6.118.192.1
Jul 25, 2024 21:34:55.418927908 CEST	445	50018	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:55.419308901 CEST	445	50018	6.118.192.1	192.168.2.7
Jul 25, 2024 21:34:55.476367950 CEST	50082	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.481515884 CEST	445	50082	6.118.192.2	192.168.2.7
Jul 25, 2024 21:34:55.481616974 CEST	50082	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.481678963 CEST	50082	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.482009888 CEST	50083	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.487287998 CEST	445	50082	6.118.192.2	192.168.2.7
Jul 25, 2024 21:34:55.487333059 CEST	445	50083	6.118.192.2	192.168.2.7
Jul 25, 2024 21:34:55.487353086 CEST	50082	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.487390995 CEST	50083	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.487432003 CEST	50083	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:34:55.492948055 CEST	445	50083	6.118.192.2	192.168.2.7
Jul 25, 2024 21:34:55.561294079 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.561429977 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.564958096 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.564974070 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.565217018 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.571245909 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.612540960 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.742252111 CEST	50084	445	192.168.2.7	210.211.15.239
Jul 25, 2024 21:34:55.754357100 CEST	445	50084	210.211.15.239	192.168.2.7
Jul 25, 2024 21:34:55.754487991 CEST	50084	445	192.168.2.7	210.211.15.239
Jul 25, 2024 21:34:55.754515886 CEST	50084	445	192.168.2.7	210.211.15.239
Jul 25, 2024 21:34:55.754724026 CEST	50085	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.760749102 CEST	445	50085	210.211.15.1	192.168.2.7
Jul 25, 2024 21:34:55.760854959 CEST	50085	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.761143923 CEST	50085	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.761143923 CEST	50086	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.763034105 CEST	445	50084	210.211.15.239	192.168.2.7
Jul 25, 2024 21:34:55.763091087 CEST	50084	445	192.168.2.7	210.211.15.239
Jul 25, 2024 21:34:55.766340971 CEST	445	50086	210.211.15.1	192.168.2.7
Jul 25, 2024 21:34:55.766457081 CEST	50086	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.766504049 CEST	50086	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.767401934 CEST	445	50085	210.211.15.1	192.168.2.7
Jul 25, 2024 21:34:55.775131941 CEST	445	50086	210.211.15.1	192.168.2.7
Jul 25, 2024 21:34:55.797863007 CEST	445	50085	210.211.15.1	192.168.2.7
Jul 25, 2024 21:34:55.797992945 CEST	50085	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:34:55.908307076 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.908351898 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.908369064 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.908545971 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.908628941 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.908710003 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.923593998 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.923655987 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.923741102 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.923758030 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.923815966 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.923815966 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.923969030 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.924016953 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:55.924046040 CEST	50078	443	192.168.2.7	20.114.59.183
Jul 25, 2024 21:34:55.924062967 CEST	443	50078	20.114.59.183	192.168.2.7
Jul 25, 2024 21:34:56.257704020 CEST	50087	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:56.262836933 CEST	445	50087	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:56.262923956 CEST	50087	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:56.262957096 CEST	50087	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:34:56.267853975 CEST	445	50087	210.44.60.1	192.168.2.7
Jul 25, 2024 21:34:56.570373058 CEST	50088	445	192.168.2.7	132.107.82.189
Jul 25, 2024 21:34:56.575476885 CEST	445	50088	132.107.82.189	192.168.2.7
Jul 25, 2024 21:34:56.575644970 CEST	50088	445	192.168.2.7	132.107.82.189
Jul 25, 2024 21:34:56.575644970 CEST	50088	445	192.168.2.7	132.107.82.189
Jul 25, 2024 21:34:56.575740099 CEST	50089	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.581038952 CEST	445	50089	132.107.82.1	192.168.2.7
Jul 25, 2024 21:34:56.581119061 CEST	50089	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.581149101 CEST	50089	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.581518888 CEST	50090	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.581708908 CEST	445	50088	132.107.82.189	192.168.2.7
Jul 25, 2024 21:34:56.581934929 CEST	50088	445	192.168.2.7	132.107.82.189
Jul 25, 2024 21:34:56.586339951 CEST	445	50090	132.107.82.1	192.168.2.7
Jul 25, 2024 21:34:56.586412907 CEST	50090	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.586448908 CEST	50090	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.586828947 CEST	445	50089	132.107.82.1	192.168.2.7
Jul 25, 2024 21:34:56.586888075 CEST	50089	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:34:56.591351986 CEST	445	50090	132.107.82.1	192.168.2.7
Jul 25, 2024 21:34:57.292134047 CEST	445	50021	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:57.292224884 CEST	50021	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:57.292264938 CEST	50021	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:57.292284966 CEST	50021	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:34:57.297278881 CEST	445	50021	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:57.297599077 CEST	445	50021	100.100.254.1	192.168.2.7
Jul 25, 2024 21:34:57.336332083 CEST	50091	445	192.168.2.7	13.55.192.105
Jul 25, 2024 21:34:57.341468096 CEST	445	50091	13.55.192.105	192.168.2.7
Jul 25, 2024 21:34:57.341592073 CEST	50091	445	192.168.2.7	13.55.192.105
Jul 25, 2024 21:34:57.341592073 CEST	50091	445	192.168.2.7	13.55.192.105
Jul 25, 2024 21:34:57.341718912 CEST	50092	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.346978903 CEST	445	50092	13.55.192.1	192.168.2.7
Jul 25, 2024 21:34:57.347079039 CEST	50092	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.347227097 CEST	50092	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.347640038 CEST	445	50091	13.55.192.105	192.168.2.7
Jul 25, 2024 21:34:57.347731113 CEST	445	50091	13.55.192.105	192.168.2.7
Jul 25, 2024 21:34:57.347757101 CEST	50093	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.347866058 CEST	50091	445	192.168.2.7	13.55.192.105
Jul 25, 2024 21:34:57.352547884 CEST	445	50093	13.55.192.1	192.168.2.7
Jul 25, 2024 21:34:57.352619886 CEST	50093	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.352663994 CEST	50093	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.353282928 CEST	445	50092	13.55.192.1	192.168.2.7
Jul 25, 2024 21:34:57.353338957 CEST	50092	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.616826057 CEST	445	50092	13.55.192.1	192.168.2.7
Jul 25, 2024 21:34:57.616934061 CEST	50092	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:34:57.617034912 CEST	445	50093	13.55.192.1	192.168.2.7
Jul 25, 2024 21:34:57.621835947 CEST	445	50092	13.55.192.1	192.168.2.7
Jul 25, 2024 21:34:57.725344896 CEST	445	50022	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:57.725578070 CEST	50022	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:57.725701094 CEST	50022	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:57.725775003 CEST	50022	445	192.168.2.7	185.127.160.1
Jul 25, 2024 21:34:57.730623960 CEST	445	50022	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:57.730993986 CEST	445	50022	185.127.160.1	192.168.2.7
Jul 25, 2024 21:34:57.741955996 CEST	50094	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:57.746846914 CEST	445	50094	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:57.746928930 CEST	50094	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:57.746957064 CEST	50094	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:57.751990080 CEST	445	50094	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:57.789004087 CEST	50095	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.793978930 CEST	445	50095	185.127.160.2	192.168.2.7
Jul 25, 2024 21:34:57.794064045 CEST	50095	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.794105053 CEST	50095	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.794645071 CEST	50096	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.799382925 CEST	445	50095	185.127.160.2	192.168.2.7
Jul 25, 2024 21:34:57.799603939 CEST	445	50096	185.127.160.2	192.168.2.7
Jul 25, 2024 21:34:57.799803019 CEST	50096	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.799803019 CEST	50096	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.800700903 CEST	445	50095	185.127.160.2	192.168.2.7
Jul 25, 2024 21:34:57.800756931 CEST	50095	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:34:57.804600000 CEST	445	50096	185.127.160.2	192.168.2.7
Jul 25, 2024 21:34:58.571500063 CEST	443	49829	104.98.116.138	192.168.2.7
Jul 25, 2024 21:34:58.571621895 CEST	49829	443	192.168.2.7	104.98.116.138
Jul 25, 2024 21:34:59.295228958 CEST	445	50025	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:59.295344114 CEST	50025	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:59.295389891 CEST	50025	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:59.295444012 CEST	50025	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:34:59.301632881 CEST	445	50025	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:59.301990032 CEST	445	50025	94.16.11.1	192.168.2.7
Jul 25, 2024 21:34:59.502515078 CEST	445	50094	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:59.502579927 CEST	50094	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:59.502624035 CEST	50094	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:59.502648115 CEST	50094	445	192.168.2.7	95.43.108.1
Jul 25, 2024 21:34:59.507590055 CEST	445	50094	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:59.507882118 CEST	445	50094	95.43.108.1	192.168.2.7
Jul 25, 2024 21:34:59.522233009 CEST	445	50026	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:59.522305012 CEST	50026	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:59.522424936 CEST	50026	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:59.522424936 CEST	50026	445	192.168.2.7	119.225.62.1
Jul 25, 2024 21:34:59.527566910 CEST	445	50026	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:59.530173063 CEST	445	50026	119.225.62.1	192.168.2.7
Jul 25, 2024 21:34:59.555145979 CEST	50101	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.560116053 CEST	445	50101	95.43.108.2	192.168.2.7
Jul 25, 2024 21:34:59.560178041 CEST	50101	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.560311079 CEST	50101	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.560853004 CEST	50102	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.566324949 CEST	445	50102	95.43.108.2	192.168.2.7
Jul 25, 2024 21:34:59.566385031 CEST	50102	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.566819906 CEST	445	50101	95.43.108.2	192.168.2.7
Jul 25, 2024 21:34:59.566852093 CEST	50102	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.566874981 CEST	50101	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:34:59.571885109 CEST	445	50102	95.43.108.2	192.168.2.7
Jul 25, 2024 21:34:59.586294889 CEST	50103	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.591145039 CEST	445	50103	119.225.62.2	192.168.2.7
Jul 25, 2024 21:34:59.591276884 CEST	50103	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.598184109 CEST	50103	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.599246979 CEST	50104	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.603312969 CEST	445	50103	119.225.62.2	192.168.2.7
Jul 25, 2024 21:34:59.603804111 CEST	445	50103	119.225.62.2	192.168.2.7
Jul 25, 2024 21:34:59.603856087 CEST	50103	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.604418993 CEST	445	50104	119.225.62.2	192.168.2.7
Jul 25, 2024 21:34:59.604479074 CEST	50104	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.604522943 CEST	50104	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:34:59.609496117 CEST	445	50104	119.225.62.2	192.168.2.7
Jul 25, 2024 21:35:00.304640055 CEST	50108	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:35:00.309660912 CEST	445	50108	100.100.254.1	192.168.2.7
Jul 25, 2024 21:35:00.311918974 CEST	50108	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:35:00.311984062 CEST	50108	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:35:00.317914009 CEST	445	50108	100.100.254.1	192.168.2.7
Jul 25, 2024 21:35:01.354813099 CEST	445	50030	16.68.196.1	192.168.2.7
Jul 25, 2024 21:35:01.354979992 CEST	50030	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:01.355024099 CEST	50030	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:01.355082035 CEST	50030	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:01.360039949 CEST	445	50030	16.68.196.1	192.168.2.7
Jul 25, 2024 21:35:01.360120058 CEST	445	50030	16.68.196.1	192.168.2.7
Jul 25, 2024 21:35:01.646239996 CEST	445	50031	36.4.231.1	192.168.2.7
Jul 25, 2024 21:35:01.646392107 CEST	50031	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:35:01.646441936 CEST	50031	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:35:01.646544933 CEST	50031	445	192.168.2.7	36.4.231.1
Jul 25, 2024 21:35:01.651352882 CEST	445	50031	36.4.231.1	192.168.2.7
Jul 25, 2024 21:35:01.651379108 CEST	445	50031	36.4.231.1	192.168.2.7
Jul 25, 2024 21:35:01.710797071 CEST	50118	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.716250896 CEST	445	50118	36.4.231.2	192.168.2.7
Jul 25, 2024 21:35:01.716370106 CEST	50118	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.716403961 CEST	50118	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.716823101 CEST	50119	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.721710920 CEST	445	50119	36.4.231.2	192.168.2.7
Jul 25, 2024 21:35:01.721795082 CEST	50119	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.721821070 CEST	50119	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.726774931 CEST	445	50119	36.4.231.2	192.168.2.7
Jul 25, 2024 21:35:01.727427006 CEST	445	50118	36.4.231.2	192.168.2.7
Jul 25, 2024 21:35:01.730156898 CEST	445	50118	36.4.231.2	192.168.2.7
Jul 25, 2024 21:35:01.730216026 CEST	50118	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:01.994319916 CEST	445	50033	188.219.99.2	192.168.2.7
Jul 25, 2024 21:35:01.994471073 CEST	50033	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:01.994525909 CEST	50033	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:01.994535923 CEST	50033	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:01.999593973 CEST	445	50033	188.219.99.2	192.168.2.7
Jul 25, 2024 21:35:01.999732971 CEST	445	50033	188.219.99.2	192.168.2.7
Jul 25, 2024 21:35:02.304672956 CEST	50124	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:35:02.310252905 CEST	445	50124	94.16.11.1	192.168.2.7
Jul 25, 2024 21:35:02.310389996 CEST	50124	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:35:02.310425997 CEST	50124	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:35:02.315221071 CEST	445	50124	94.16.11.1	192.168.2.7
Jul 25, 2024 21:35:04.366985083 CEST	50150	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:04.372087955 CEST	445	50150	16.68.196.1	192.168.2.7
Jul 25, 2024 21:35:04.372198105 CEST	50150	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:04.372248888 CEST	50150	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:04.377100945 CEST	445	50150	16.68.196.1	192.168.2.7
Jul 25, 2024 21:35:05.007462978 CEST	50162	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:05.012411118 CEST	445	50162	188.219.99.2	192.168.2.7
Jul 25, 2024 21:35:05.012578011 CEST	50162	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:05.012643099 CEST	50162	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:05.017479897 CEST	445	50162	188.219.99.2	192.168.2.7
Jul 25, 2024 21:35:06.092075109 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.092173100 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:06.092247009 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:06.092298985 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:06.092744112 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.092814922 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:06.093142986 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.093200922 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:06.093427896 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.093482018 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:35:06.093553066 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:35:06.093619108 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:35:06.093635082 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.093698025 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:35:06.093708038 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.093748093 CEST	50039	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:06.094023943 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.094136000 CEST	50040	445	192.168.2.7	58.57.197.1
Jul 25, 2024 21:35:06.099292994 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.099319935 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.099330902 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.099406958 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.099476099 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.099486113 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.099520922 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.099531889 CEST	445	50039	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:06.101042032 CEST	445	50040	58.57.197.1	192.168.2.7
Jul 25, 2024 21:35:06.148158073 CEST	50186	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.153064966 CEST	445	50186	58.57.197.2	192.168.2.7
Jul 25, 2024 21:35:06.153143883 CEST	50186	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.153173923 CEST	50186	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.153485060 CEST	50187	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.161755085 CEST	445	50186	58.57.197.2	192.168.2.7
Jul 25, 2024 21:35:06.161789894 CEST	445	50187	58.57.197.2	192.168.2.7
Jul 25, 2024 21:35:06.161834002 CEST	50186	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.161880016 CEST	50187	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.161900997 CEST	50187	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:06.167011976 CEST	445	50187	58.57.197.2	192.168.2.7
Jul 25, 2024 21:35:06.588248968 CEST	445	50043	95.210.118.1	192.168.2.7
Jul 25, 2024 21:35:06.588362932 CEST	50043	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:35:06.588416100 CEST	50043	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:35:06.588464975 CEST	50043	445	192.168.2.7	95.210.118.1
Jul 25, 2024 21:35:06.593318939 CEST	445	50043	95.210.118.1	192.168.2.7
Jul 25, 2024 21:35:06.593374968 CEST	445	50043	95.210.118.1	192.168.2.7
Jul 25, 2024 21:35:07.569827080 CEST	445	50044	152.246.44.1	192.168.2.7
Jul 25, 2024 21:35:07.569993973 CEST	50044	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:35:07.570029974 CEST	50044	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:35:07.570029974 CEST	50044	445	192.168.2.7	152.246.44.1
Jul 25, 2024 21:35:07.574850082 CEST	445	50044	152.246.44.1	192.168.2.7
Jul 25, 2024 21:35:07.574975014 CEST	445	50044	152.246.44.1	192.168.2.7
Jul 25, 2024 21:35:07.632772923 CEST	50234	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.640113115 CEST	445	50234	152.246.44.2	192.168.2.7
Jul 25, 2024 21:35:07.640280962 CEST	50234	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.640383005 CEST	50234	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.640827894 CEST	50235	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.648165941 CEST	445	50235	152.246.44.2	192.168.2.7
Jul 25, 2024 21:35:07.648205042 CEST	445	50234	152.246.44.2	192.168.2.7
Jul 25, 2024 21:35:07.648257017 CEST	50235	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.648350954 CEST	50235	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.648511887 CEST	50234	445	192.168.2.7	152.246.44.2
Jul 25, 2024 21:35:07.653353930 CEST	445	50235	152.246.44.2	192.168.2.7
Jul 25, 2024 21:35:08.098902941 CEST	445	50047	136.185.8.1	192.168.2.7
Jul 25, 2024 21:35:08.098968983 CEST	50047	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:35:08.099004030 CEST	50047	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:35:08.099021912 CEST	50047	445	192.168.2.7	136.185.8.1
Jul 25, 2024 21:35:08.105365992 CEST	445	50047	136.185.8.1	192.168.2.7
Jul 25, 2024 21:35:08.105380058 CEST	445	50047	136.185.8.1	192.168.2.7
Jul 25, 2024 21:35:09.101459980 CEST	50350	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:09.106590986 CEST	445	50350	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:09.106730938 CEST	50350	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:09.106774092 CEST	50350	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:09.111908913 CEST	445	50350	4.84.89.1	192.168.2.7
Jul 25, 2024 21:35:09.572779894 CEST	445	50051	68.75.152.1	192.168.2.7
Jul 25, 2024 21:35:09.572844028 CEST	50051	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:35:09.667088985 CEST	445	50052	185.124.94.1	192.168.2.7
Jul 25, 2024 21:35:09.667156935 CEST	50052	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:35:09.920670033 CEST	50064	445	192.168.2.7	64.16.93.2
Jul 25, 2024 21:35:09.920701027 CEST	50102	445	192.168.2.7	95.43.108.2
Jul 25, 2024 21:35:09.920727968 CEST	50062	445	192.168.2.7	161.221.47.1
Jul 25, 2024 21:35:09.920772076 CEST	50059	445	192.168.2.7	202.230.132.1
Jul 25, 2024 21:35:09.920806885 CEST	50058	445	192.168.2.7	80.67.170.1
Jul 25, 2024 21:35:09.920829058 CEST	50350	445	192.168.2.7	4.84.89.1
Jul 25, 2024 21:35:09.920846939 CEST	50073	445	192.168.2.7	10.54.96.2
Jul 25, 2024 21:35:09.920887947 CEST	50083	445	192.168.2.7	6.118.192.2
Jul 25, 2024 21:35:09.920964956 CEST	50119	445	192.168.2.7	36.4.231.2
Jul 25, 2024 21:35:09.920994997 CEST	50054	445	192.168.2.7	90.64.160.2
Jul 25, 2024 21:35:09.921022892 CEST	50077	445	192.168.2.7	199.207.38.1
Jul 25, 2024 21:35:09.921052933 CEST	50052	445	192.168.2.7	185.124.94.1
Jul 25, 2024 21:35:09.921076059 CEST	50187	445	192.168.2.7	58.57.197.2
Jul 25, 2024 21:35:09.921099901 CEST	50124	445	192.168.2.7	94.16.11.1
Jul 25, 2024 21:35:09.921130896 CEST	50051	445	192.168.2.7	68.75.152.1
Jul 25, 2024 21:35:09.921150923 CEST	50055	445	192.168.2.7	199.180.31.2
Jul 25, 2024 21:35:09.921180010 CEST	50067	445	192.168.2.7	99.44.247.1
Jul 25, 2024 21:35:09.921205997 CEST	50068	445	192.168.2.7	69.235.55.1
Jul 25, 2024 21:35:09.921233892 CEST	50104	445	192.168.2.7	119.225.62.2
Jul 25, 2024 21:35:09.921258926 CEST	50076	445	192.168.2.7	162.84.231.1
Jul 25, 2024 21:35:09.921287060 CEST	50081	445	192.168.2.7	2.251.193.1
Jul 25, 2024 21:35:09.921312094 CEST	50086	445	192.168.2.7	210.211.15.1
Jul 25, 2024 21:35:09.921336889 CEST	50087	445	192.168.2.7	210.44.60.1
Jul 25, 2024 21:35:09.921361923 CEST	50090	445	192.168.2.7	132.107.82.1
Jul 25, 2024 21:35:09.921389103 CEST	50093	445	192.168.2.7	13.55.192.1
Jul 25, 2024 21:35:09.921412945 CEST	50096	445	192.168.2.7	185.127.160.2
Jul 25, 2024 21:35:09.921436071 CEST	50108	445	192.168.2.7	100.100.254.1
Jul 25, 2024 21:35:09.921483040 CEST	50150	445	192.168.2.7	16.68.196.1
Jul 25, 2024 21:35:09.921503067 CEST	50162	445	192.168.2.7	188.219.99.2
Jul 25, 2024 21:35:09.921611071 CEST	50235	445	192.168.2.7	152.246.44.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:34:02.298829079 CEST	53342	53	192.168.2.7	1.1.1.1
Jul 25, 2024 21:34:02.458976984 CEST	53	53342	1.1.1.1	192.168.2.7
Jul 25, 2024 21:34:03.331279039 CEST	59479	53	192.168.2.7	1.1.1.1
Jul 25, 2024 21:34:03.373613119 CEST	56989	53	192.168.2.7	1.1.1.1
Jul 25, 2024 21:34:03.732742071 CEST	53	59479	1.1.1.1	192.168.2.7
Jul 25, 2024 21:34:58.932574034 CEST	138	138	192.168.2.7	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 21:34:02.298829079 CEST	192.168.2.7	1.1.1.1	0x1be7	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:34:03.331279039 CEST	192.168.2.7	1.1.1.1	0x6a1c	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:34:03.373613119 CEST	192.168.2.7	1.1.1.1	0xdce8	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 21:34:02.458976984 CEST	1.1.1.1	192.168.2.7	0x1be7	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:34:03.380820036 CEST	1.1.1.1	192.168.2.7	0xdce8	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:34:03.732742071 CEST	1.1.1.1	192.168.2.7	0x6a1c	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:34:03.732742071 CEST	1.1.1.1	192.168.2.7	0x6a1c	No error (0)	77026.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	103.224.212.215	80	7444	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:34:02.529356956 CEST	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jul 25, 2024 21:34:03.214509964 CEST	365	IN	HTTP/1.1 302 Found date: Thu, 25 Jul 2024 19:34:03 GMT server: Apache set-cookie: __tad=1721936043.4587265; expires=Sun, 23-Jul-2034 19:34:03 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	199.59.243.226	80	7444	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:34:03.739309072 CEST	169	OUT	GET /?subid1=20240726-0534-0355-9ff5-0a1ebde5efcd HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jul 25, 2024 21:34:04.264836073 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 25 Jul 2024 19:34:03 GMT content-type: text/html; charset=utf-8 content-length: 1258 x-request-id: 39fec269-4c93-4234-939b-afff81d34501 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xd0yCVLfM8BCXZUJD4UEVURLtYXqxPUAKiLkM8jMdzak7wRBZVYYlCa1Cv0FPqUSmgYKCHB1NIcTw0Ym97R5hQ== set-cookie: parking_session=39fec269-4c93-4234-939b-afff81d34501; expires=Thu, 25 Jul 2024 19:49:04 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 78 64 30 79 43 56 4c 66 4d 38 42 43 58 5a 55 4a 44 34 55 45 56 55 52 4c 74 59 58 71 78 50 55 41 4b 69 4c 6b 4d 38 6a 4d 64 7a 61 6b 37 77 52 42 5a 56 59 59 6c 43 61 31 43 76 30 46 50 71 55 53 6d 67 59 4b 43 48 42 31 4e 49 63 54 77 30 59 6d 39 37 52 35 68 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xd0yCVLfM8BCXZUJD4UEVURLtYXqxPUAKiLkM8jMdzak7wRBZVYYlCa1Cv0FPqUSmgYKCHB1NIcTw0Ym97R5hQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jul 25, 2024 21:34:04.265207052 CEST	692	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzlmZWMyNjktNGM5My00MjM0LTkzOWItYWZmZjgxZDM0NTAxIiwicGFnZV90aW1lIjoxNzIxOTM2MDQ0LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49701	103.224.212.215	80	7616	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:34:04.377120972 CEST	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jul 25, 2024 21:34:05.012617111 CEST	365	IN	HTTP/1.1 302 Found date: Thu, 25 Jul 2024 19:34:04 GMT server: Apache set-cookie: __tad=1721936044.1705878; expires=Sun, 23-Jul-2034 19:34:04 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-041f-8fb2-8866394234ea content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49702	103.224.212.215	80	7664	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:34:04.926732063 CEST	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1721936043.4587265
Jul 25, 2024 21:34:05.547842979 CEST	269	IN	HTTP/1.1 302 Found date: Thu, 25 Jul 2024 19:34:05 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5be content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49703	199.59.243.226	80	7616	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:34:05.024918079 CEST	169	OUT	GET /?subid1=20240726-0534-041f-8fb2-8866394234ea HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jul 25, 2024 21:34:05.520668983 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 25 Jul 2024 19:34:05 GMT content-type: text/html; charset=utf-8 content-length: 1258 x-request-id: 919c307f-dda8-4176-838a-b517f9748f49 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PM2oRDhw0CQDlbdo7/qRNIEE1krKgcihNHsa+p7GISCXZTvEldJo/ksmL3gpc82GWcRJ/2mAsKzoy+3f3v9ULw== set-cookie: parking_session=919c307f-dda8-4176-838a-b517f9748f49; expires=Thu, 25 Jul 2024 19:49:05 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 4d 32 6f 52 44 68 77 30 43 51 44 6c 62 64 6f 37 2f 71 52 4e 49 45 45 31 6b 72 4b 67 63 69 68 4e 48 73 61 2b 70 37 47 49 53 43 58 5a 54 76 45 6c 64 4a 6f 2f 6b 73 6d 4c 33 67 70 63 38 32 47 57 63 52 4a 2f 32 6d 41 73 4b 7a 6f 79 2b 33 66 33 76 39 55 4c 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PM2oRDhw0CQDlbdo7/qRNIEE1krKgcihNHsa+p7GISCXZTvEldJo/ksmL3gpc82GWcRJ/2mAsKzoy+3f3v9ULw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jul 25, 2024 21:34:05.521080971 CEST	692	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTE5YzMwN2YtZGRhOC00MTc2LTgzOGEtYjUxN2Y5NzQ4ZjQ5IiwicGFnZV90aW1lIjoxNzIxOTM2MDQ1LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49704	199.59.243.226	80	7664	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:34:05.592134953 CEST	231	OUT	GET /?subid1=20240726-0534-055f-94f1-815196e9c5be HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=39fec269-4c93-4234-939b-afff81d34501
Jul 25, 2024 21:34:06.150805950 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 25 Jul 2024 19:34:05 GMT content-type: text/html; charset=utf-8 content-length: 1258 x-request-id: 1ba5d0c3-5262-420b-a65d-2eb105ed0fc3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CSy8PRVpT8RbgX54TyM/QZgIWTMgISpVsVs4DpYhOg5QifCOT5HOV9GCq15hoy3o/U7MnG2FwtSQ4Bl9cryJDQ== set-cookie: parking_session=39fec269-4c93-4234-939b-afff81d34501; expires=Thu, 25 Jul 2024 19:49:06 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 53 79 38 50 52 56 70 54 38 52 62 67 58 35 34 54 79 4d 2f 51 5a 67 49 57 54 4d 67 49 53 70 56 73 56 73 34 44 70 59 68 4f 67 35 51 69 66 43 4f 54 35 48 4f 56 39 47 43 71 31 35 68 6f 79 33 6f 2f 55 37 4d 6e 47 32 46 77 74 53 51 34 42 6c 39 63 72 79 4a 44 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CSy8PRVpT8RbgX54TyM/QZgIWTMgISpVsVs4DpYhOg5QifCOT5HOV9GCq15hoy3o/U7MnG2FwtSQ4Bl9cryJDQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jul 25, 2024 21:34:06.151657104 CEST	684	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzlmZWMyNjktNGM5My00MjM0LTkzOWItYWZmZjgxZDM0NTAxIiwicGFnZV90aW1lIjoxNzIxOTM2MDQ2LCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49821	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 19:34:16 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cmhE9WbprTxRD5l&MD=pYgsfsSr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-25 19:34:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 9e6ce33e-9e15-47e9-be02-6c66735bb17a MS-RequestId: 824b2cb6-6a29-427b-a159-212d3886d6bc MS-CV: fUuH/aFa0kW17gM7.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Jul 2024 19:34:16 GMT Connection: close Content-Length: 24490
2024-07-25 19:34:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-25 19:34:17 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	50078	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 19:34:55 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cmhE9WbprTxRD5l&MD=pYgsfsSr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-25 19:34:55 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 4ca8fc7c-5511-4d3c-8d77-92033339ab66 MS-RequestId: 8b4afcca-d180-46bf-b1a3-5fd3e7fb96c8 MS-CV: gcUg5FioXUC8/dvz.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Jul 2024 19:34:54 GMT Connection: close Content-Length: 30005
2024-07-25 19:34:55 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-25 19:34:55 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	15:34:00
Start date:	25/07/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll"
Imagebase:	0x4e0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:34:00
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:34:01
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:34:01
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002A_327.dll,PlayGame
Imagebase:	0x350000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:34:01
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",#1
Imagebase:	0x350000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:34:01
Start date:	25/07/2024
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	60A91A498C0F1FFDDEF484C5A4D42564
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1297845687.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1297973978.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvr.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:34:02
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:34:03
Start date:	25/07/2024
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	60A91A498C0F1FFDDEF484C5A4D42564
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.1322838033.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1972575394.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.1322719614.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1972756937.0000000002286000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:34:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002A_327.dll",PlayGame
Imagebase:	0x350000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:34:04
Start date:	25/07/2024
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	60A91A498C0F1FFDDEF484C5A4D42564
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1326342765.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1341643809.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.1341790477.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.1326501700.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:49:52
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FBF0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07
tasksche.exe, xrefs: 00407DEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
WriteFile, xrefs: 00407D1C
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000006.00000002.1336900933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1336876669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336933075.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337034661.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 1541710770-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1336900933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1336876669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336933075.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337034661.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1336900933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1336876669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336933075.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337034661.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FBF0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.1336900933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1336876669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336933075.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337034661.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6FBF0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1336900933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1336876669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336933075.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1336955844.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337034661.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1337178358.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7616, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6FBF0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000009.00000002.1971398120.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1971383718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971414062.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971476922.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971494335.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000009.00000002.1971398120.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1971383718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971414062.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971476922.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971494335.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FBF0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000009.00000002.1971398120.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1971383718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971414062.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971476922.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971494335.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FBF0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
CloseHandle, xrefs: 00407D29
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
D, xrefs: 00407ED3
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000009.00000002.1971398120.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1971383718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971414062.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971476922.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971494335.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000009.00000002.1971398120.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1971383718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971414062.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971427381.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971460470.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971476922.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971494335.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.1971583728.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_327.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\mssecsvr.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
LisectAVT_2403002A_327.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON