Edit tour

Windows Analysis Report
mlfk8sYaiy.dll

Overview

General Information

Sample name:	mlfk8sYaiy.dll renamed because original name is a hash value
Original sample name:	4662b44e2534901aba780e2e601e8012.dll
Analysis ID:	1591269
MD5:	4662b44e2534901aba780e2e601e8012
SHA1:	c30d623fe679bfd3fd33c32dbd795a44f5a5c55e
SHA256:	62c9a15ea404a7c537028bcabcb5753c0e6c535981c38eef417e6db0611f3eb7
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5544 cmdline: loaddll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4180 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 348 cmdline: rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 1696 cmdline: C:\WINDOWS\mssecsvr.exe MD5: E12B5051C561A8E11FFF28902B1A9A70)

rundll32.exe (PID: 3608 cmdline: rundll32.exe C:\Users\user\Desktop\mlfk8sYaiy.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6772 cmdline: rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 5936 cmdline: C:\WINDOWS\mssecsvr.exe MD5: E12B5051C561A8E11FFF28902B1A9A70)

mssecsvr.exe (PID: 3300 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: E12B5051C561A8E11FFF28902B1A9A70)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mlfk8sYaiy.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
mlfk8sYaiy.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
mlfk8sYaiy.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvr.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvr.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
C:\Windows\mssecsvr.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvr.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.1792421376.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1821887861.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1813606958.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1838019382.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 1696	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3300	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 5936	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.mssecsvr.exe.1d45084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.229796c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.229796c.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d77128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.1d77128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.22658c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.229796c.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.229796c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.229796c.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.22658c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.22658c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.22658c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.2274948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.2274948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.2274948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.2274948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d54104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d54104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1d54104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.1d54104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d77128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d77128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.1d77128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d45084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d45084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1d45084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.2274948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.2274948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.2274948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d54104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d54104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5089d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50d5a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1d54104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d500a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d500a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1d500a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.22708e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.22708e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.22708e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:03:29.054224+0100	2803304	3	Unknown Traffic	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-14T21:03:30.914583+0100	2803304	3	Unknown Traffic	192.168.2.4	49732	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:03:28.144912+0100	2830018	1	A Network Trojan was detected	192.168.2.4	50991	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mlfk8sYaiy.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d4c	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa0526945	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa05269	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b53	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\mssecsvr.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 81%
Source: C:\Windows\mssecsvr.exe	ReversingLabs: Detection: 93%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: mlfk8sYaiy.dll	ReversingLabs: Detection: 92%
Source: mlfk8sYaiy.dll	Virustotal: Detection: 92%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Machine Learning detection for dropped file

Source: C:\Windows\mssecsvr.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: mlfk8sYaiy.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: mlfk8sYaiy.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.4:50991 -> 1.1.1.1:53

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0703-2865-a082-552e366d7d4c HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0703-3025-82b1-2f8f29489b53 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885008.2630796
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0703-312e-89e7-547aa0526945 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=229b9e3a-b57d-4a5f-bf1e-23a1a6fda947

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.161
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.161
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.161
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.161
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 148.126.233.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.90
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.90
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.90
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.90
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.207.165.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.227
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.227
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.227
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.227
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.254.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.202
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.202
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.202
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.202
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.203.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 7.204.138.14
Source: unknown	TCP traffic detected without corresponding DNS query: 7.204.138.14

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0703-2865-a082-552e366d7d4c HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0703-3025-82b1-2f8f29489b53 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885008.2630796
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0703-312e-89e7-547aa0526945 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=229b9e3a-b57d-4a5f-bf1e-23a1a6fda947

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000005.00000002.1828233980.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1828233980.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d
Source: mssecsvr.exe, 00000006.00000002.2465525985.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2465525985.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b
Source: mssecsvr.exe, 00000008.00000002.1840315057.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa05269
Source: mssecsvr.exe.3.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000005.00000002.1828233980.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1828233980.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1828233980.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2465525985.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1840315057.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1840315057.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.1828233980.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L
Source: mssecsvr.exe, 00000006.00000002.2464994477.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: mlfk8sYaiy.dll, type: SAMPLE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.229796c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.22658c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d45084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.2274948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d500a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.22708e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1792421376.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1821887861.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1813606958.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1838019382.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 1696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\mssecsvr.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: mlfk8sYaiy.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: mlfk8sYaiy.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d45084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.229796c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.229796c.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.22658c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.229796c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.229796c.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.22658c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.22658c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d45084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d45084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.2274948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.2274948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d500a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d500a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.22708e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.22708e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: mssecsvr.exe.3.dr

Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: mlfk8sYaiy.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: mlfk8sYaiy.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: mlfk8sYaiy.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d45084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.229796c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.229796c.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.22658c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.229796c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.229796c.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.22658c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.22658c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.2274948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d45084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d45084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.2274948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.2274948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d500a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d500a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.22708e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.22708e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.5.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: mlfk8sYaiy.dll, mssecsvr.exe.3.dr, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/3@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03

Source: mlfk8sYaiy.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mlfk8sYaiy.dll,PlayGame

Source: mlfk8sYaiy.dll	ReversingLabs: Detection: 92%
Source: mlfk8sYaiy.dll	Virustotal: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mlfk8sYaiy.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mlfk8sYaiy.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: mlfk8sYaiy.dll

Static file information: File size 5267459 > 1048576

Source: mlfk8sYaiy.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.5.dr

Static PE information: section name: .text entropy: 7.64063717569669

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvr.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvr.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 3244	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3244	Thread sleep time: -194000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5824	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5824	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3244	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000005.00000002.1828233980.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1828233980.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2465525985.00000000009E7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2465525985.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1840315057.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1840315057.0000000000C68000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mlfk8sYaiy.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
mlfk8sYaiy.dll	93%	Virustotal		Browse
mlfk8sYaiy.dll	100%	Avira	TR/AD.WannaCry.nvufj
mlfk8sYaiy.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvr.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvr.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	82%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvr.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	82%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d4c	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa0526945	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa05269	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b53	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d4c	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa0526945	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b53	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L	mssecsvr.exe, 00000005.00000002.1828233980.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b	mssecsvr.exe, 00000006.00000002.2465525985.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2465525985.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000006.00000002.2464994477.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mssecsvr.exe.3.dr	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d	mssecsvr.exe, 00000005.00000002.1828233980.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1828233980.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa05269	mssecsvr.exe, 00000008.00000002.1840315057.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.140.22.1	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
51.178.254.2	unknown	France	16276	OVHFR	false
51.178.254.1	unknown	France	16276	OVHFR	false
39.74.29.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
206.149.19.247	unknown	United States	174	COGENT-174US	false
15.181.139.109	unknown	United States	5073	HPESUS	false
13.103.137.252	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.230.50.2	unknown	United States	16625	AKAMAI-ASUS	false
85.26.53.1	unknown	Belgium	12392	ASBRUTELEVOOBE	false
85.26.53.2	unknown	Belgium	12392	ASBRUTELEVOOBE	false
51.178.254.227	unknown	France	16276	OVHFR	false
174.8.52.1	unknown	United States	6327	SHAWCA	false
27.44.253.2	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
27.44.253.1	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
95.154.143.226	unknown	Russian Federation	43714	EPL-ASRU	false
17.207.165.90	unknown	United States	714	APPLE-ENGINEERINGUS	false
155.185.174.1	unknown	Italy	137	ASGARRConsortiumGARREU	false
15.181.139.2	unknown	United States	5073	HPESUS	false
15.181.139.1	unknown	United States	5073	HPESUS	false
214.131.32.23	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
176.153.185.129	unknown	France	5410	BOUYGTEL-ISPFR	false
19.72.220.15	unknown	United States	3	MIT-GATEWAYSUS	false
106.197.232.1	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
93.140.22.189	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
106.197.232.186	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
38.251.3.58	unknown	United States	174	COGENT-174US	false
197.203.23.1	unknown	Algeria	36947	ALGTEL-ASDZ	false
197.203.23.2	unknown	Algeria	36947	ALGTEL-ASDZ	false
7.204.138.1	unknown	United States	3356	LEVEL3US	false
197.203.23.3	unknown	Algeria	36947	ALGTEL-ASDZ	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591269
Start date and time:	2025-01-14 21:02:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mlfk8sYaiy.dll renamed because original name is a hash value
Original Sample Name:	4662b44e2534901aba780e2e601e8012.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/3@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 84.201.210.39, 199.232.210.172, 2.17.190.73, 4.245.163.56, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:03:29	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:04:04	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	uavINoSIQh.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	103.224.212.215
	lJt3mQqCQl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	xIwkOnjSIa.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	IU28r0EZFA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	ViNIRfmQmE.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	Ee3RWj3ID9.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
T-HTCroatianTelecomIncHR	6.elf	Get hash	malicious	Unknown	Browse	93.141.40.169
	res.arm5.elf	Get hash	malicious	Unknown	Browse	78.0.237.186
	sora.mips.elf	Get hash	malicious	Unknown	Browse	78.3.131.207
	sora.x86.elf	Get hash	malicious	Unknown	Browse	195.29.126.42
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	195.29.31.181
	kwari.ppc.elf	Get hash	malicious	Unknown	Browse	93.143.8.37
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	195.29.126.41
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	93.143.203.157
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	78.2.254.54
	3.elf	Get hash	malicious	Unknown	Browse	195.29.114.43
OVHFR	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	167.114.158.15
	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	167.114.158.15
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	51.38.120.206
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	51.255.30.108
	x86.elf	Get hash	malicious	Unknown	Browse	54.37.53.121
	Employee_Salary_Update.docx	Get hash	malicious	Unknown	Browse	158.69.4.253
	x86_64.elf	Get hash	malicious	Unknown	Browse	51.161.74.225
	http://nkomm.fr	Get hash	malicious	Unknown	Browse	54.38.81.29
	arm7.elf	Get hash	malicious	Mirai	Browse	178.32.95.240
	XCnB8SL.exe	Get hash	malicious	ScreenConnect Tool	Browse	51.195.188.103
OVHFR	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	167.114.158.15
	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	167.114.158.15
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	51.38.120.206
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	51.255.30.108
	x86.elf	Get hash	malicious	Unknown	Browse	54.37.53.121
	Employee_Salary_Update.docx	Get hash	malicious	Unknown	Browse	158.69.4.253
	x86_64.elf	Get hash	malicious	Unknown	Browse	51.161.74.225
	http://nkomm.fr	Get hash	malicious	Unknown	Browse	54.38.81.29
	arm7.elf	Get hash	malicious	Mirai	Browse	178.32.95.240
	XCnB8SL.exe	Get hash	malicious	ScreenConnect Tool	Browse	51.195.188.103

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	3.7167484699496227
Encrypted:	false
SSDEEP:	12288:nti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjE:tihdmMSirYbcMNgef0QeQ
MD5:	65CF699CF39A752B41CF1E8E65B5F266
SHA1:	8AF1168060889ADE54761B919BF7A92F4D493C14
SHA-256:	D1392B4DD1435469C9B8521137F25EDEAB8A898877440EEEF1CCAF06B77FD1CC
SHA-512:	8A05F1A86722481E14D1919C15DFB33B845C93841BCDEE5CAB494C54FD1B91EBB75CD89264BCBCF8E9FA8E7789AB1669A20DE82B8C4EF8518D0931162FE62D9C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvr.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2281472
Entropy (8bit):	3.9912331660440397
Encrypted:	false
SSDEEP:	12288:e1bLgmluCti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjE:QbLgurihdmMSirYbcMNgef0QeQ
MD5:	E12B5051C561A8E11FFF28902B1A9A70
SHA1:	28074BFBC7A08B45DC134808A49784FA73C2820F
SHA-256:	7BA6868C4B2F526B9B171E6518AC1C7434BB89548424482F3472C9EF480D2F41
SHA-512:	B6E019B0A4159C3FAD03E80A48B82AB603FB81D654DE6559836C47A5BDF0E41F6EC7770744A146AA34CCE8E72FE5E0F133732CAB5F24FB0895C120A5C2F6D6C9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L......................"...................@...........................P......................................................1..z...........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.........1...... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	3.7167484699496227
Encrypted:	false
SSDEEP:	12288:nti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjE:tihdmMSirYbcMNgef0QeQ
MD5:	65CF699CF39A752B41CF1E8E65B5F266
SHA1:	8AF1168060889ADE54761B919BF7A92F4D493C14
SHA-256:	D1392B4DD1435469C9B8521137F25EDEAB8A898877440EEEF1CCAF06B77FD1CC
SHA-512:	8A05F1A86722481E14D1919C15DFB33B845C93841BCDEE5CAB494C54FD1B91EBB75CD89264BCBCF8E9FA8E7789AB1669A20DE82B8C4EF8518D0931162FE62D9C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.9620049107411335
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mlfk8sYaiy.dll
File size:	5'267'459 bytes
MD5:	4662b44e2534901aba780e2e601e8012
SHA1:	c30d623fe679bfd3fd33c32dbd795a44f5a5c55e
SHA256:	62c9a15ea404a7c537028bcabcb5753c0e6c535981c38eef417e6db0611f3eb7
SHA512:	4790f637b2df31bbc12fb36f00f197a9c08ae55cd26519f2054ef2b79eb824f80b7a746b9816d2adcf4ef8336f6025a8cafef4bbc065e412728c989a489756f4
SSDEEP:	12288:T1bLgmluCti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjE:RbLgurihdmMSirYbcMNgef0QeQ
TLSH:	8636239676AC91F8C21A6270E4774A21F2B73C7D21BD970FEB908A211C03791BB64F57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F6C9524442Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F6C95244448h
cmp esi, 01h
je 00007F6C95244427h
cmp esi, 02h
jne 00007F6C95244444h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F6C9524442Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F6C9524442Eh
push edi
push esi
push ebx
call 00007F6C9524433Ah
test eax, eax
jne 00007F6C95244426h
xor eax, eax
jmp 00007F6C95244470h
push edi
push esi
push ebx
call 00007F6C952441ECh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F6C9524442Eh
test eax, eax
jne 00007F6C95244459h
push edi
push eax
push ebx
call 00007F6C95244316h
test esi, esi
je 00007F6C95244427h
cmp esi, 03h
jne 00007F6C95244448h
push edi
push esi
push ebx
call 00007F6C95244305h
test eax, eax
jne 00007F6C95244425h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F6C95244433h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F6C9524442Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	ac7ea315149ef438c6bd259493c35d1d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.7769136428833008

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T21:03:28.144912+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.4	50991	1.1.1.1	53	UDP
2025-01-14T21:03:29.054224+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-14T21:03:30.914583+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49732	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:03:27.324018955 CET	49675	443	192.168.2.4	173.222.162.32
Jan 14, 2025 21:03:28.463871956 CET	49730	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:28.468852043 CET	80	49730	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:28.468959093 CET	49730	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:28.469108105 CET	49730	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:28.473911047 CET	80	49730	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:29.054085970 CET	80	49730	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:29.054155111 CET	80	49730	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:29.054224014 CET	49730	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:29.054270983 CET	49730	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:29.063263893 CET	49730	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:29.068098068 CET	80	49730	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:29.563410044 CET	49731	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:29.568428040 CET	80	49731	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:29.568537951 CET	49731	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:29.568738937 CET	49731	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:29.573574066 CET	80	49731	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:30.026355028 CET	80	49731	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:30.026376009 CET	80	49731	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:30.026607990 CET	49731	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:30.031991005 CET	49731	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:30.032052040 CET	49731	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:30.288085938 CET	49732	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:30.293649912 CET	80	49732	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:30.293721914 CET	49732	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:30.296466112 CET	49732	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:30.301285982 CET	80	49732	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:30.914510012 CET	80	49732	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:30.914582968 CET	49732	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:30.914632082 CET	80	49732	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:30.914680004 CET	49732	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:30.929559946 CET	49732	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:30.931292057 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:30.934494972 CET	80	49732	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:30.936372995 CET	80	49733	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:30.936475992 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:30.936599970 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:30.941695929 CET	80	49733	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:31.063210964 CET	49734	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:31.068166971 CET	80	49734	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:31.068788052 CET	49734	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:31.068949938 CET	49734	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:31.073745012 CET	80	49734	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:31.401421070 CET	80	49733	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:31.401504993 CET	80	49733	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:31.401509047 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.401619911 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.410132885 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.411340952 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.415204048 CET	80	49733	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:31.415352106 CET	49733	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.450229883 CET	49735	445	192.168.2.4	148.126.233.161
Jan 14, 2025 21:03:31.455049992 CET	445	49735	148.126.233.161	192.168.2.4
Jan 14, 2025 21:03:31.455163002 CET	49735	445	192.168.2.4	148.126.233.161
Jan 14, 2025 21:03:31.455185890 CET	49735	445	192.168.2.4	148.126.233.161
Jan 14, 2025 21:03:31.457360983 CET	49736	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.460170984 CET	445	49735	148.126.233.161	192.168.2.4
Jan 14, 2025 21:03:31.460216045 CET	49735	445	192.168.2.4	148.126.233.161
Jan 14, 2025 21:03:31.462215900 CET	445	49736	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:31.462291956 CET	49736	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.463572979 CET	49736	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.468369007 CET	445	49736	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:31.468422890 CET	49736	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.472703934 CET	49737	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.477566004 CET	445	49737	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:31.477693081 CET	49737	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.477694035 CET	49737	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:31.482743025 CET	445	49737	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:31.673543930 CET	80	49734	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:31.673656940 CET	49734	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:31.673672915 CET	80	49734	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:31.673726082 CET	49734	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:31.676398039 CET	49734	80	192.168.2.4	103.224.212.215
Jan 14, 2025 21:03:31.678354025 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.681200027 CET	80	49734	103.224.212.215	192.168.2.4
Jan 14, 2025 21:03:31.683192968 CET	80	49744	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:31.683336020 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.683603048 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:31.688358068 CET	80	49744	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:32.166584969 CET	80	49744	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:32.166608095 CET	80	49744	199.59.243.228	192.168.2.4
Jan 14, 2025 21:03:32.166762114 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:32.166762114 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:32.177264929 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:32.177419901 CET	49744	80	192.168.2.4	199.59.243.228
Jan 14, 2025 21:03:33.450926065 CET	49761	445	192.168.2.4	17.207.165.90
Jan 14, 2025 21:03:33.455869913 CET	445	49761	17.207.165.90	192.168.2.4
Jan 14, 2025 21:03:33.455976963 CET	49761	445	192.168.2.4	17.207.165.90
Jan 14, 2025 21:03:33.456054926 CET	49761	445	192.168.2.4	17.207.165.90
Jan 14, 2025 21:03:33.456286907 CET	49762	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.461049080 CET	445	49762	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:33.461116076 CET	49762	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.461143017 CET	49762	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.461158037 CET	445	49761	17.207.165.90	192.168.2.4
Jan 14, 2025 21:03:33.461211920 CET	49761	445	192.168.2.4	17.207.165.90
Jan 14, 2025 21:03:33.462383032 CET	49763	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.466093063 CET	445	49762	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:33.466185093 CET	49762	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.467175007 CET	445	49763	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:33.467243910 CET	49763	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.467297077 CET	49763	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:33.472096920 CET	445	49763	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:35.466197968 CET	49786	445	192.168.2.4	51.178.254.227
Jan 14, 2025 21:03:35.471049070 CET	445	49786	51.178.254.227	192.168.2.4
Jan 14, 2025 21:03:35.471138000 CET	49786	445	192.168.2.4	51.178.254.227
Jan 14, 2025 21:03:35.471216917 CET	49786	445	192.168.2.4	51.178.254.227
Jan 14, 2025 21:03:35.471442938 CET	49787	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.476195097 CET	445	49786	51.178.254.227	192.168.2.4
Jan 14, 2025 21:03:35.476273060 CET	445	49787	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:35.476334095 CET	49787	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.476377010 CET	49787	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.477479935 CET	49788	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.477567911 CET	445	49786	51.178.254.227	192.168.2.4
Jan 14, 2025 21:03:35.478980064 CET	49786	445	192.168.2.4	51.178.254.227
Jan 14, 2025 21:03:35.481296062 CET	445	49787	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:35.481359959 CET	49787	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.482279062 CET	445	49788	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:35.482342005 CET	49788	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.482415915 CET	49788	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:35.487173080 CET	445	49788	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:37.481443882 CET	49811	445	192.168.2.4	197.203.23.202
Jan 14, 2025 21:03:37.486295938 CET	445	49811	197.203.23.202	192.168.2.4
Jan 14, 2025 21:03:37.486392021 CET	49811	445	192.168.2.4	197.203.23.202
Jan 14, 2025 21:03:37.486392021 CET	49811	445	192.168.2.4	197.203.23.202
Jan 14, 2025 21:03:37.486586094 CET	49812	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.491391897 CET	445	49812	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:37.491475105 CET	49812	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.491489887 CET	445	49811	197.203.23.202	192.168.2.4
Jan 14, 2025 21:03:37.491499901 CET	49812	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.491575956 CET	49811	445	192.168.2.4	197.203.23.202
Jan 14, 2025 21:03:37.492537975 CET	49813	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.497222900 CET	445	49812	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:37.497279882 CET	49812	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.497313976 CET	445	49813	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:37.497380018 CET	49813	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.497421980 CET	49813	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:37.502157927 CET	445	49813	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:39.270709991 CET	445	49813	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:39.270858049 CET	49813	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:39.270858049 CET	49813	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:39.270931005 CET	49813	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:39.276161909 CET	445	49813	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:39.276181936 CET	445	49813	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:39.497119904 CET	49835	445	192.168.2.4	7.204.138.14
Jan 14, 2025 21:03:39.502100945 CET	445	49835	7.204.138.14	192.168.2.4
Jan 14, 2025 21:03:39.502181053 CET	49835	445	192.168.2.4	7.204.138.14
Jan 14, 2025 21:03:39.502255917 CET	49835	445	192.168.2.4	7.204.138.14
Jan 14, 2025 21:03:39.502482891 CET	49837	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.507246971 CET	445	49835	7.204.138.14	192.168.2.4
Jan 14, 2025 21:03:39.507302999 CET	49835	445	192.168.2.4	7.204.138.14
Jan 14, 2025 21:03:39.507358074 CET	445	49837	7.204.138.1	192.168.2.4
Jan 14, 2025 21:03:39.507430077 CET	49837	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.507523060 CET	49837	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.508609056 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.513400078 CET	445	49837	7.204.138.1	192.168.2.4
Jan 14, 2025 21:03:39.513463020 CET	49837	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.514187098 CET	445	49838	7.204.138.1	192.168.2.4
Jan 14, 2025 21:03:39.514259100 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.514305115 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:03:39.520148039 CET	445	49838	7.204.138.1	192.168.2.4
Jan 14, 2025 21:03:41.546792984 CET	49860	445	192.168.2.4	27.44.253.47
Jan 14, 2025 21:03:41.551672935 CET	445	49860	27.44.253.47	192.168.2.4
Jan 14, 2025 21:03:41.552092075 CET	49860	445	192.168.2.4	27.44.253.47
Jan 14, 2025 21:03:41.552165985 CET	49860	445	192.168.2.4	27.44.253.47
Jan 14, 2025 21:03:41.552346945 CET	49861	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.557168007 CET	445	49861	27.44.253.1	192.168.2.4
Jan 14, 2025 21:03:41.557194948 CET	445	49860	27.44.253.47	192.168.2.4
Jan 14, 2025 21:03:41.557218075 CET	49861	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.557248116 CET	49860	445	192.168.2.4	27.44.253.47
Jan 14, 2025 21:03:41.559505939 CET	49861	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.563662052 CET	49862	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.564373970 CET	445	49861	27.44.253.1	192.168.2.4
Jan 14, 2025 21:03:41.564425945 CET	49861	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.568449974 CET	445	49862	27.44.253.1	192.168.2.4
Jan 14, 2025 21:03:41.568770885 CET	49862	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.571150064 CET	49862	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:03:41.578614950 CET	445	49862	27.44.253.1	192.168.2.4
Jan 14, 2025 21:03:42.277409077 CET	49871	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:42.282417059 CET	445	49871	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:42.282506943 CET	49871	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:42.282569885 CET	49871	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:42.287365913 CET	445	49871	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:43.543260098 CET	49886	445	192.168.2.4	19.72.220.15
Jan 14, 2025 21:03:43.548064947 CET	445	49886	19.72.220.15	192.168.2.4
Jan 14, 2025 21:03:43.548135996 CET	49886	445	192.168.2.4	19.72.220.15
Jan 14, 2025 21:03:43.548201084 CET	49886	445	192.168.2.4	19.72.220.15
Jan 14, 2025 21:03:43.548374891 CET	49887	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.553081036 CET	445	49886	19.72.220.15	192.168.2.4
Jan 14, 2025 21:03:43.553128958 CET	49886	445	192.168.2.4	19.72.220.15
Jan 14, 2025 21:03:43.553189039 CET	445	49887	19.72.220.1	192.168.2.4
Jan 14, 2025 21:03:43.553268909 CET	49887	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.553268909 CET	49887	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.553534985 CET	49888	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.558403969 CET	445	49887	19.72.220.1	192.168.2.4
Jan 14, 2025 21:03:43.558422089 CET	445	49888	19.72.220.1	192.168.2.4
Jan 14, 2025 21:03:43.558456898 CET	49887	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.558506966 CET	49888	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.558506966 CET	49888	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:03:43.563308001 CET	445	49888	19.72.220.1	192.168.2.4
Jan 14, 2025 21:03:44.036552906 CET	445	49871	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:44.038902998 CET	49871	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:44.040544033 CET	49871	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:44.040601969 CET	49871	445	192.168.2.4	197.203.23.1
Jan 14, 2025 21:03:44.045428038 CET	445	49871	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:44.045459986 CET	445	49871	197.203.23.1	192.168.2.4
Jan 14, 2025 21:03:44.117950916 CET	49896	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.123279095 CET	445	49896	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:44.123466969 CET	49896	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.123466969 CET	49896	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.123799086 CET	49898	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.128622055 CET	445	49898	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:44.128704071 CET	49898	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.128859997 CET	445	49896	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:44.130805016 CET	49896	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.130919933 CET	49898	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:44.135687113 CET	445	49898	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:45.558918953 CET	49912	445	192.168.2.4	172.230.50.208
Jan 14, 2025 21:03:45.563925028 CET	445	49912	172.230.50.208	192.168.2.4
Jan 14, 2025 21:03:45.567418098 CET	49912	445	192.168.2.4	172.230.50.208
Jan 14, 2025 21:03:45.567542076 CET	49912	445	192.168.2.4	172.230.50.208
Jan 14, 2025 21:03:45.567709923 CET	49913	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.572386980 CET	445	49912	172.230.50.208	192.168.2.4
Jan 14, 2025 21:03:45.572506905 CET	445	49913	172.230.50.1	192.168.2.4
Jan 14, 2025 21:03:45.572680950 CET	49912	445	192.168.2.4	172.230.50.208
Jan 14, 2025 21:03:45.572716951 CET	49913	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.572771072 CET	49913	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.573050976 CET	49914	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.577728033 CET	445	49913	172.230.50.1	192.168.2.4
Jan 14, 2025 21:03:45.577872038 CET	445	49914	172.230.50.1	192.168.2.4
Jan 14, 2025 21:03:45.577943087 CET	49913	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.577977896 CET	49914	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.578016043 CET	49914	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:03:45.582832098 CET	445	49914	172.230.50.1	192.168.2.4
Jan 14, 2025 21:03:45.858201981 CET	445	49898	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:45.858310938 CET	49898	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:45.858355999 CET	49898	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:45.858433962 CET	49898	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:45.864475012 CET	445	49898	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:45.864640951 CET	445	49898	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:47.574594021 CET	49937	445	192.168.2.4	15.181.139.109
Jan 14, 2025 21:03:47.579372883 CET	445	49937	15.181.139.109	192.168.2.4
Jan 14, 2025 21:03:47.579479933 CET	49937	445	192.168.2.4	15.181.139.109
Jan 14, 2025 21:03:47.579479933 CET	49937	445	192.168.2.4	15.181.139.109
Jan 14, 2025 21:03:47.579626083 CET	49938	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.584409952 CET	445	49938	15.181.139.1	192.168.2.4
Jan 14, 2025 21:03:47.584475994 CET	49938	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.584492922 CET	49938	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.584506989 CET	445	49937	15.181.139.109	192.168.2.4
Jan 14, 2025 21:03:47.584557056 CET	49937	445	192.168.2.4	15.181.139.109
Jan 14, 2025 21:03:47.584784031 CET	49939	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.589440107 CET	445	49938	15.181.139.1	192.168.2.4
Jan 14, 2025 21:03:47.589507103 CET	49938	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.589598894 CET	445	49939	15.181.139.1	192.168.2.4
Jan 14, 2025 21:03:47.589653015 CET	49939	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.589720011 CET	49939	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:03:47.594491959 CET	445	49939	15.181.139.1	192.168.2.4
Jan 14, 2025 21:03:48.871222973 CET	49953	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:48.876039982 CET	445	49953	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:48.876117945 CET	49953	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:48.876164913 CET	49953	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:48.880964041 CET	445	49953	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:49.590255022 CET	49961	445	192.168.2.4	155.185.174.106
Jan 14, 2025 21:03:49.595181942 CET	445	49961	155.185.174.106	192.168.2.4
Jan 14, 2025 21:03:49.595242023 CET	49961	445	192.168.2.4	155.185.174.106
Jan 14, 2025 21:03:49.595334053 CET	49961	445	192.168.2.4	155.185.174.106
Jan 14, 2025 21:03:49.595432043 CET	49962	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.600186110 CET	445	49962	155.185.174.1	192.168.2.4
Jan 14, 2025 21:03:49.600244045 CET	49962	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.600284100 CET	445	49961	155.185.174.106	192.168.2.4
Jan 14, 2025 21:03:49.600294113 CET	445	49961	155.185.174.106	192.168.2.4
Jan 14, 2025 21:03:49.600377083 CET	49962	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.600402117 CET	49961	445	192.168.2.4	155.185.174.106
Jan 14, 2025 21:03:49.600656986 CET	49963	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.605262995 CET	445	49962	155.185.174.1	192.168.2.4
Jan 14, 2025 21:03:49.605319023 CET	49962	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.605429888 CET	445	49963	155.185.174.1	192.168.2.4
Jan 14, 2025 21:03:49.605489969 CET	49963	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.605529070 CET	49963	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:03:49.610312939 CET	445	49963	155.185.174.1	192.168.2.4
Jan 14, 2025 21:03:50.584050894 CET	445	49953	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:50.584212065 CET	49953	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:50.590207100 CET	49953	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:50.590260983 CET	49953	445	192.168.2.4	197.203.23.2
Jan 14, 2025 21:03:50.595068932 CET	445	49953	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:50.595081091 CET	445	49953	197.203.23.2	192.168.2.4
Jan 14, 2025 21:03:50.686439037 CET	49975	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.692959070 CET	445	49975	197.203.23.3	192.168.2.4
Jan 14, 2025 21:03:50.693111897 CET	49975	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.702748060 CET	49975	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.703268051 CET	49977	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.708758116 CET	445	49975	197.203.23.3	192.168.2.4
Jan 14, 2025 21:03:50.708883047 CET	49975	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.709114075 CET	445	49977	197.203.23.3	192.168.2.4
Jan 14, 2025 21:03:50.709191084 CET	49977	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.709224939 CET	49977	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:03:50.714878082 CET	445	49977	197.203.23.3	192.168.2.4
Jan 14, 2025 21:03:51.215037107 CET	49724	80	192.168.2.4	2.16.168.102
Jan 14, 2025 21:03:51.220587969 CET	80	49724	2.16.168.102	192.168.2.4
Jan 14, 2025 21:03:51.220642090 CET	49724	80	192.168.2.4	2.16.168.102
Jan 14, 2025 21:03:51.606612921 CET	49988	445	192.168.2.4	93.140.22.189
Jan 14, 2025 21:03:51.611850977 CET	445	49988	93.140.22.189	192.168.2.4
Jan 14, 2025 21:03:51.611958027 CET	49988	445	192.168.2.4	93.140.22.189
Jan 14, 2025 21:03:51.612481117 CET	49988	445	192.168.2.4	93.140.22.189
Jan 14, 2025 21:03:51.612648010 CET	49989	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.617402077 CET	445	49989	93.140.22.1	192.168.2.4
Jan 14, 2025 21:03:51.617502928 CET	49989	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.617571115 CET	445	49988	93.140.22.189	192.168.2.4
Jan 14, 2025 21:03:51.617624044 CET	49988	445	192.168.2.4	93.140.22.189
Jan 14, 2025 21:03:51.620377064 CET	49989	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.620966911 CET	49990	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.625214100 CET	445	49989	93.140.22.1	192.168.2.4
Jan 14, 2025 21:03:51.625288963 CET	49989	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.625742912 CET	445	49990	93.140.22.1	192.168.2.4
Jan 14, 2025 21:03:51.625818014 CET	49990	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.625991106 CET	49990	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:03:51.630736113 CET	445	49990	93.140.22.1	192.168.2.4
Jan 14, 2025 21:03:52.850600004 CET	445	49737	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:52.851905107 CET	49737	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:52.851993084 CET	49737	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:52.852087021 CET	49737	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:52.856873989 CET	445	49737	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:52.856884003 CET	445	49737	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:53.691019058 CET	50011	445	192.168.2.4	39.74.29.188
Jan 14, 2025 21:03:53.695950031 CET	445	50011	39.74.29.188	192.168.2.4
Jan 14, 2025 21:03:53.696034908 CET	50011	445	192.168.2.4	39.74.29.188
Jan 14, 2025 21:03:53.696110010 CET	50011	445	192.168.2.4	39.74.29.188
Jan 14, 2025 21:03:53.696269989 CET	50012	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.701214075 CET	445	50011	39.74.29.188	192.168.2.4
Jan 14, 2025 21:03:53.701248884 CET	445	50012	39.74.29.1	192.168.2.4
Jan 14, 2025 21:03:53.701298952 CET	50011	445	192.168.2.4	39.74.29.188
Jan 14, 2025 21:03:53.701368093 CET	50012	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.712743998 CET	50012	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.717611074 CET	445	50012	39.74.29.1	192.168.2.4
Jan 14, 2025 21:03:53.717704058 CET	50012	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.769309044 CET	50013	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.774204016 CET	445	50013	39.74.29.1	192.168.2.4
Jan 14, 2025 21:03:53.774333954 CET	50013	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.779685974 CET	50013	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:03:53.784519911 CET	445	50013	39.74.29.1	192.168.2.4
Jan 14, 2025 21:03:54.832032919 CET	445	49763	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:54.832333088 CET	49763	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:54.832333088 CET	49763	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:54.832333088 CET	49763	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:54.837240934 CET	445	49763	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:54.837255001 CET	445	49763	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:55.699896097 CET	50037	445	192.168.2.4	19.249.31.253
Jan 14, 2025 21:03:55.704782009 CET	445	50037	19.249.31.253	192.168.2.4
Jan 14, 2025 21:03:55.704895020 CET	50037	445	192.168.2.4	19.249.31.253
Jan 14, 2025 21:03:55.705053091 CET	50037	445	192.168.2.4	19.249.31.253
Jan 14, 2025 21:03:55.705348015 CET	50038	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.710134029 CET	445	50037	19.249.31.253	192.168.2.4
Jan 14, 2025 21:03:55.710151911 CET	445	50038	19.249.31.1	192.168.2.4
Jan 14, 2025 21:03:55.710215092 CET	50037	445	192.168.2.4	19.249.31.253
Jan 14, 2025 21:03:55.710237980 CET	50038	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.710341930 CET	50038	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.710772991 CET	50039	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.715253115 CET	445	50038	19.249.31.1	192.168.2.4
Jan 14, 2025 21:03:55.715336084 CET	50038	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.715595007 CET	445	50039	19.249.31.1	192.168.2.4
Jan 14, 2025 21:03:55.715657949 CET	50039	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.715711117 CET	50039	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:03:55.721273899 CET	445	50039	19.249.31.1	192.168.2.4
Jan 14, 2025 21:03:55.855576992 CET	50041	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:55.860491991 CET	445	50041	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:55.860584974 CET	50041	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:55.860611916 CET	50041	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:03:55.865391016 CET	445	50041	148.126.233.1	192.168.2.4
Jan 14, 2025 21:03:56.864717960 CET	445	49788	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:56.864795923 CET	49788	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:56.864909887 CET	49788	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:56.865009069 CET	49788	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:56.869721889 CET	445	49788	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:56.869772911 CET	445	49788	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:57.715173960 CET	50045	445	192.168.2.4	19.135.66.238
Jan 14, 2025 21:03:57.720127106 CET	445	50045	19.135.66.238	192.168.2.4
Jan 14, 2025 21:03:57.720218897 CET	50045	445	192.168.2.4	19.135.66.238
Jan 14, 2025 21:03:57.720256090 CET	50045	445	192.168.2.4	19.135.66.238
Jan 14, 2025 21:03:57.720351934 CET	50046	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.725178957 CET	445	50046	19.135.66.1	192.168.2.4
Jan 14, 2025 21:03:57.725255013 CET	50046	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.725279093 CET	50046	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.725351095 CET	445	50045	19.135.66.238	192.168.2.4
Jan 14, 2025 21:03:57.725411892 CET	50045	445	192.168.2.4	19.135.66.238
Jan 14, 2025 21:03:57.725734949 CET	50047	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.730211973 CET	445	50046	19.135.66.1	192.168.2.4
Jan 14, 2025 21:03:57.730271101 CET	50046	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.730577946 CET	445	50047	19.135.66.1	192.168.2.4
Jan 14, 2025 21:03:57.730648994 CET	50047	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.730693102 CET	50047	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:03:57.735467911 CET	445	50047	19.135.66.1	192.168.2.4
Jan 14, 2025 21:03:57.840063095 CET	50048	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:57.844866991 CET	445	50048	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:57.844940901 CET	50048	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:57.845031023 CET	50048	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:03:57.850749969 CET	445	50048	17.207.165.1	192.168.2.4
Jan 14, 2025 21:03:59.731040955 CET	50049	445	192.168.2.4	174.8.52.170
Jan 14, 2025 21:03:59.735888004 CET	445	50049	174.8.52.170	192.168.2.4
Jan 14, 2025 21:03:59.736044884 CET	50049	445	192.168.2.4	174.8.52.170
Jan 14, 2025 21:03:59.736088037 CET	50049	445	192.168.2.4	174.8.52.170
Jan 14, 2025 21:03:59.736313105 CET	50050	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.741142035 CET	445	50049	174.8.52.170	192.168.2.4
Jan 14, 2025 21:03:59.741153002 CET	445	50050	174.8.52.1	192.168.2.4
Jan 14, 2025 21:03:59.741245031 CET	50049	445	192.168.2.4	174.8.52.170
Jan 14, 2025 21:03:59.741272926 CET	50050	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.741324902 CET	50050	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.742085934 CET	50051	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.746311903 CET	445	50050	174.8.52.1	192.168.2.4
Jan 14, 2025 21:03:59.746361017 CET	50050	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.746910095 CET	445	50051	174.8.52.1	192.168.2.4
Jan 14, 2025 21:03:59.747001886 CET	50051	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.747001886 CET	50051	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:03:59.751841068 CET	445	50051	174.8.52.1	192.168.2.4
Jan 14, 2025 21:03:59.871328115 CET	50052	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:59.876187086 CET	445	50052	51.178.254.1	192.168.2.4
Jan 14, 2025 21:03:59.876341105 CET	50052	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:59.876413107 CET	50052	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:03:59.881280899 CET	445	50052	51.178.254.1	192.168.2.4
Jan 14, 2025 21:04:01.274308920 CET	445	49838	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:01.274399996 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:01.274465084 CET	445	49838	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:01.274511099 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:01.274650097 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:01.274650097 CET	49838	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:01.284540892 CET	445	49838	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:01.284550905 CET	445	49838	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:01.746573925 CET	50053	445	192.168.2.4	206.149.19.247
Jan 14, 2025 21:04:01.754352093 CET	445	50053	206.149.19.247	192.168.2.4
Jan 14, 2025 21:04:01.754502058 CET	50053	445	192.168.2.4	206.149.19.247
Jan 14, 2025 21:04:01.754642963 CET	50053	445	192.168.2.4	206.149.19.247
Jan 14, 2025 21:04:01.754699945 CET	50054	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.761269093 CET	445	50054	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:01.761334896 CET	50054	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.761456013 CET	445	50053	206.149.19.247	192.168.2.4
Jan 14, 2025 21:04:01.761554956 CET	50053	445	192.168.2.4	206.149.19.247
Jan 14, 2025 21:04:01.761581898 CET	50054	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.761882067 CET	50055	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.768309116 CET	445	50055	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:01.768318892 CET	445	50054	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:01.768415928 CET	50055	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.768418074 CET	50054	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.768429041 CET	50055	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:01.776168108 CET	445	50055	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:02.925215006 CET	445	49862	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:02.925460100 CET	49862	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:02.925460100 CET	49862	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:02.927335978 CET	49862	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:02.930289030 CET	445	49862	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:02.932136059 CET	445	49862	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:03.762119055 CET	50056	445	192.168.2.4	30.53.7.75
Jan 14, 2025 21:04:03.767024040 CET	445	50056	30.53.7.75	192.168.2.4
Jan 14, 2025 21:04:03.767111063 CET	50056	445	192.168.2.4	30.53.7.75
Jan 14, 2025 21:04:03.767246008 CET	50056	445	192.168.2.4	30.53.7.75
Jan 14, 2025 21:04:03.767436981 CET	50057	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.771990061 CET	445	50056	30.53.7.75	192.168.2.4
Jan 14, 2025 21:04:03.772046089 CET	50056	445	192.168.2.4	30.53.7.75
Jan 14, 2025 21:04:03.772289991 CET	445	50057	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:03.772351027 CET	50057	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.772429943 CET	50057	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.772674084 CET	50058	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.777333021 CET	445	50057	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:03.777384996 CET	50057	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.777493954 CET	445	50058	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:03.777549982 CET	50058	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.777579069 CET	50058	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:03.782324076 CET	445	50058	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:04.277633905 CET	50059	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:04.282476902 CET	445	50059	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:04.282565117 CET	50059	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:04.282602072 CET	50059	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:04.287384987 CET	445	50059	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:04.925964117 CET	445	49888	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:04.926150084 CET	49888	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:04.926186085 CET	49888	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:04.926224947 CET	49888	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:04.931360960 CET	445	49888	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:04.931458950 CET	445	49888	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:05.777834892 CET	50060	445	192.168.2.4	76.215.58.166
Jan 14, 2025 21:04:05.782846928 CET	445	50060	76.215.58.166	192.168.2.4
Jan 14, 2025 21:04:05.782983065 CET	50060	445	192.168.2.4	76.215.58.166
Jan 14, 2025 21:04:05.783093929 CET	50060	445	192.168.2.4	76.215.58.166
Jan 14, 2025 21:04:05.783344030 CET	50061	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.789566994 CET	445	50061	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:05.789658070 CET	50061	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.789732933 CET	50061	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.790014982 CET	50062	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.790088892 CET	445	50060	76.215.58.166	192.168.2.4
Jan 14, 2025 21:04:05.790148020 CET	50060	445	192.168.2.4	76.215.58.166
Jan 14, 2025 21:04:05.795593977 CET	445	50061	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:05.795711994 CET	50061	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.795916080 CET	445	50062	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:05.795988083 CET	50062	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.796047926 CET	50062	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:05.801315069 CET	445	50062	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:05.933732986 CET	50063	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:05.938668966 CET	445	50063	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:05.938781977 CET	50063	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:05.938889027 CET	50063	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:05.943692923 CET	445	50063	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:06.956482887 CET	445	49914	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:06.956684113 CET	49914	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:06.956684113 CET	49914	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:06.956789970 CET	49914	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:06.961612940 CET	445	49914	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:06.961622953 CET	445	49914	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:07.653012991 CET	50064	445	192.168.2.4	3.121.48.189
Jan 14, 2025 21:04:07.657847881 CET	445	50064	3.121.48.189	192.168.2.4
Jan 14, 2025 21:04:07.657984018 CET	50064	445	192.168.2.4	3.121.48.189
Jan 14, 2025 21:04:07.658157110 CET	50064	445	192.168.2.4	3.121.48.189
Jan 14, 2025 21:04:07.658422947 CET	50065	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.662944078 CET	445	50064	3.121.48.189	192.168.2.4
Jan 14, 2025 21:04:07.663047075 CET	50064	445	192.168.2.4	3.121.48.189
Jan 14, 2025 21:04:07.663423061 CET	445	50065	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:07.663611889 CET	50065	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.663732052 CET	50065	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.664086103 CET	50066	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.668490887 CET	445	50065	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:07.668586016 CET	50065	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.668875933 CET	445	50066	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:07.668936968 CET	50066	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.668972015 CET	50066	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:07.673688889 CET	445	50066	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:07.940498114 CET	50067	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:07.945295095 CET	445	50067	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:07.945353985 CET	50067	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:07.953383923 CET	50067	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:07.958117008 CET	445	50067	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:08.978070974 CET	445	49939	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:08.978291988 CET	49939	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:08.978420973 CET	49939	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:08.978420973 CET	49939	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:08.983310938 CET	445	49939	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:08.983325958 CET	445	49939	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:09.403115988 CET	50068	445	192.168.2.4	48.100.13.147
Jan 14, 2025 21:04:09.407948017 CET	445	50068	48.100.13.147	192.168.2.4
Jan 14, 2025 21:04:09.410893917 CET	50068	445	192.168.2.4	48.100.13.147
Jan 14, 2025 21:04:09.410893917 CET	50068	445	192.168.2.4	48.100.13.147
Jan 14, 2025 21:04:09.411063910 CET	50069	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:09.415787935 CET	445	50069	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:09.415915966 CET	445	50068	48.100.13.147	192.168.2.4
Jan 14, 2025 21:04:09.416003942 CET	50068	445	192.168.2.4	48.100.13.147
Jan 14, 2025 21:04:09.416009903 CET	50069	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:09.416362047 CET	50070	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:09.421046972 CET	445	50069	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:09.421204090 CET	445	50070	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:09.421264887 CET	50069	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:09.421300888 CET	50070	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:09.421361923 CET	50070	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:09.426095009 CET	445	50070	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:09.964996099 CET	50071	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:09.969871044 CET	445	50071	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:09.969942093 CET	50071	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:09.969984055 CET	50071	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:09.974778891 CET	445	50071	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:10.989974976 CET	445	49963	155.185.174.1	192.168.2.4
Jan 14, 2025 21:04:10.990164995 CET	49963	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:10.990164995 CET	49963	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:10.990164995 CET	49963	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:10.995134115 CET	445	49963	155.185.174.1	192.168.2.4
Jan 14, 2025 21:04:10.995167017 CET	445	49963	155.185.174.1	192.168.2.4
Jan 14, 2025 21:04:11.043293953 CET	50072	445	192.168.2.4	106.197.232.186
Jan 14, 2025 21:04:11.048183918 CET	445	50072	106.197.232.186	192.168.2.4
Jan 14, 2025 21:04:11.048276901 CET	50072	445	192.168.2.4	106.197.232.186
Jan 14, 2025 21:04:11.048316002 CET	50072	445	192.168.2.4	106.197.232.186
Jan 14, 2025 21:04:11.048499107 CET	50073	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.053276062 CET	445	50072	106.197.232.186	192.168.2.4
Jan 14, 2025 21:04:11.053312063 CET	445	50073	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:11.053350925 CET	50072	445	192.168.2.4	106.197.232.186
Jan 14, 2025 21:04:11.053384066 CET	50073	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.053466082 CET	50073	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.053709030 CET	50074	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.058511019 CET	445	50073	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:11.058543921 CET	445	50074	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:11.058624029 CET	50073	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.058667898 CET	50074	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.058686972 CET	50074	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:11.063559055 CET	445	50074	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:11.980484962 CET	50075	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:11.985398054 CET	445	50075	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:11.985471010 CET	50075	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:11.985517025 CET	50075	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:11.990619898 CET	445	50075	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:12.082618952 CET	445	49977	197.203.23.3	192.168.2.4
Jan 14, 2025 21:04:12.082715034 CET	49977	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:12.082742929 CET	49977	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:12.082817078 CET	49977	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:12.088674068 CET	445	49977	197.203.23.3	192.168.2.4
Jan 14, 2025 21:04:12.089013100 CET	445	49977	197.203.23.3	192.168.2.4
Jan 14, 2025 21:04:12.574831009 CET	50076	445	192.168.2.4	119.29.17.242
Jan 14, 2025 21:04:12.579632044 CET	445	50076	119.29.17.242	192.168.2.4
Jan 14, 2025 21:04:12.579700947 CET	50076	445	192.168.2.4	119.29.17.242
Jan 14, 2025 21:04:12.579801083 CET	50076	445	192.168.2.4	119.29.17.242
Jan 14, 2025 21:04:12.579952002 CET	50077	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.584760904 CET	445	50077	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:12.584824085 CET	50077	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.584847927 CET	50077	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.584851027 CET	445	50076	119.29.17.242	192.168.2.4
Jan 14, 2025 21:04:12.584897041 CET	50076	445	192.168.2.4	119.29.17.242
Jan 14, 2025 21:04:12.585222960 CET	50078	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.589737892 CET	445	50077	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:12.589790106 CET	50077	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.590060949 CET	445	50078	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:12.590121031 CET	50078	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.590164900 CET	50078	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:12.594950914 CET	445	50078	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:13.024991989 CET	445	49990	93.140.22.1	192.168.2.4
Jan 14, 2025 21:04:13.025149107 CET	49990	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:13.025176048 CET	49990	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:13.025249958 CET	49990	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:13.029988050 CET	445	49990	93.140.22.1	192.168.2.4
Jan 14, 2025 21:04:13.030002117 CET	445	49990	93.140.22.1	192.168.2.4
Jan 14, 2025 21:04:13.996215105 CET	50080	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:13.996709108 CET	50081	445	192.168.2.4	176.153.185.129
Jan 14, 2025 21:04:14.001130104 CET	445	50080	155.185.174.1	192.168.2.4
Jan 14, 2025 21:04:14.001209974 CET	50080	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:14.001249075 CET	50080	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:14.001931906 CET	445	50081	176.153.185.129	192.168.2.4
Jan 14, 2025 21:04:14.001987934 CET	50081	445	192.168.2.4	176.153.185.129
Jan 14, 2025 21:04:14.002017975 CET	50081	445	192.168.2.4	176.153.185.129
Jan 14, 2025 21:04:14.002137899 CET	50082	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.006025076 CET	445	50080	155.185.174.1	192.168.2.4
Jan 14, 2025 21:04:14.006906033 CET	445	50082	176.153.185.1	192.168.2.4
Jan 14, 2025 21:04:14.006973982 CET	50082	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.007003069 CET	50082	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.007004976 CET	445	50081	176.153.185.129	192.168.2.4
Jan 14, 2025 21:04:14.007059097 CET	50081	445	192.168.2.4	176.153.185.129
Jan 14, 2025 21:04:14.007338047 CET	50083	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.011986971 CET	445	50082	176.153.185.1	192.168.2.4
Jan 14, 2025 21:04:14.012053967 CET	50082	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.012224913 CET	445	50083	176.153.185.1	192.168.2.4
Jan 14, 2025 21:04:14.012315035 CET	50083	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.012358904 CET	50083	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:14.017136097 CET	445	50083	176.153.185.1	192.168.2.4
Jan 14, 2025 21:04:15.089901924 CET	50089	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:15.094892025 CET	445	50089	197.203.23.3	192.168.2.4
Jan 14, 2025 21:04:15.095061064 CET	50089	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:15.095118999 CET	50089	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:15.099937916 CET	445	50089	197.203.23.3	192.168.2.4
Jan 14, 2025 21:04:15.161516905 CET	445	50013	39.74.29.1	192.168.2.4
Jan 14, 2025 21:04:15.161588907 CET	50013	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:15.161664009 CET	50013	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:15.161725044 CET	50013	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:15.166398048 CET	445	50013	39.74.29.1	192.168.2.4
Jan 14, 2025 21:04:15.166462898 CET	445	50013	39.74.29.1	192.168.2.4
Jan 14, 2025 21:04:15.324598074 CET	50090	445	192.168.2.4	152.209.52.89
Jan 14, 2025 21:04:15.329412937 CET	445	50090	152.209.52.89	192.168.2.4
Jan 14, 2025 21:04:15.329523087 CET	50090	445	192.168.2.4	152.209.52.89
Jan 14, 2025 21:04:15.329533100 CET	50090	445	192.168.2.4	152.209.52.89
Jan 14, 2025 21:04:15.329700947 CET	50091	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.334460974 CET	445	50090	152.209.52.89	192.168.2.4
Jan 14, 2025 21:04:15.334482908 CET	445	50091	152.209.52.1	192.168.2.4
Jan 14, 2025 21:04:15.334527969 CET	50090	445	192.168.2.4	152.209.52.89
Jan 14, 2025 21:04:15.334562063 CET	50091	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.334614038 CET	50091	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.334950924 CET	50092	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.339488983 CET	445	50091	152.209.52.1	192.168.2.4
Jan 14, 2025 21:04:15.339545012 CET	50091	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.339783907 CET	445	50092	152.209.52.1	192.168.2.4
Jan 14, 2025 21:04:15.339862108 CET	50092	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.339880943 CET	50092	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:15.344722986 CET	445	50092	152.209.52.1	192.168.2.4
Jan 14, 2025 21:04:16.027426958 CET	50098	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:16.032206059 CET	445	50098	93.140.22.1	192.168.2.4
Jan 14, 2025 21:04:16.032280922 CET	50098	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:16.032320023 CET	50098	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:16.037014008 CET	445	50098	93.140.22.1	192.168.2.4
Jan 14, 2025 21:04:16.559345007 CET	50104	445	192.168.2.4	135.107.147.114
Jan 14, 2025 21:04:16.564222097 CET	445	50104	135.107.147.114	192.168.2.4
Jan 14, 2025 21:04:16.564466953 CET	50104	445	192.168.2.4	135.107.147.114
Jan 14, 2025 21:04:16.564661980 CET	50104	445	192.168.2.4	135.107.147.114
Jan 14, 2025 21:04:16.564990044 CET	50105	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.569489956 CET	445	50104	135.107.147.114	192.168.2.4
Jan 14, 2025 21:04:16.569572926 CET	50104	445	192.168.2.4	135.107.147.114
Jan 14, 2025 21:04:16.569782019 CET	445	50105	135.107.147.1	192.168.2.4
Jan 14, 2025 21:04:16.569852114 CET	50105	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.569875956 CET	50105	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.570144892 CET	50106	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.574974060 CET	445	50105	135.107.147.1	192.168.2.4
Jan 14, 2025 21:04:16.574982882 CET	445	50106	135.107.147.1	192.168.2.4
Jan 14, 2025 21:04:16.575042963 CET	50105	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.575095892 CET	50106	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.575119972 CET	50106	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:16.579894066 CET	445	50106	135.107.147.1	192.168.2.4
Jan 14, 2025 21:04:17.102432013 CET	445	50039	19.249.31.1	192.168.2.4
Jan 14, 2025 21:04:17.102556944 CET	50039	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:17.102607965 CET	50039	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:17.102657080 CET	50039	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:17.108335018 CET	445	50039	19.249.31.1	192.168.2.4
Jan 14, 2025 21:04:17.108346939 CET	445	50039	19.249.31.1	192.168.2.4
Jan 14, 2025 21:04:17.257327080 CET	445	50041	148.126.233.1	192.168.2.4
Jan 14, 2025 21:04:17.257397890 CET	50041	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:04:17.257484913 CET	50041	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:04:17.257558107 CET	50041	445	192.168.2.4	148.126.233.1
Jan 14, 2025 21:04:17.262365103 CET	445	50041	148.126.233.1	192.168.2.4
Jan 14, 2025 21:04:17.262376070 CET	445	50041	148.126.233.1	192.168.2.4
Jan 14, 2025 21:04:17.308778048 CET	50112	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.313556910 CET	445	50112	148.126.233.2	192.168.2.4
Jan 14, 2025 21:04:17.313724041 CET	50112	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.313724041 CET	50112	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.313996077 CET	50113	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.318732977 CET	445	50113	148.126.233.2	192.168.2.4
Jan 14, 2025 21:04:17.318793058 CET	50113	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.318809986 CET	50113	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.318891048 CET	445	50112	148.126.233.2	192.168.2.4
Jan 14, 2025 21:04:17.318938971 CET	50112	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:17.323571920 CET	445	50113	148.126.233.2	192.168.2.4
Jan 14, 2025 21:04:17.715228081 CET	50114	445	192.168.2.4	85.26.53.136
Jan 14, 2025 21:04:17.720098019 CET	445	50114	85.26.53.136	192.168.2.4
Jan 14, 2025 21:04:17.720185995 CET	50114	445	192.168.2.4	85.26.53.136
Jan 14, 2025 21:04:17.720206022 CET	50114	445	192.168.2.4	85.26.53.136
Jan 14, 2025 21:04:17.720293999 CET	50115	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.725049019 CET	445	50115	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:17.725106955 CET	50115	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.725136042 CET	50115	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.725445986 CET	50116	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.726056099 CET	445	50114	85.26.53.136	192.168.2.4
Jan 14, 2025 21:04:17.726129055 CET	50114	445	192.168.2.4	85.26.53.136
Jan 14, 2025 21:04:17.730073929 CET	445	50115	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:17.730117083 CET	50115	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.730231047 CET	445	50116	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:17.730283022 CET	50116	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.730310917 CET	50116	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:17.735009909 CET	445	50116	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:18.168026924 CET	50122	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:18.174221992 CET	445	50122	39.74.29.1	192.168.2.4
Jan 14, 2025 21:04:18.174338102 CET	50122	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:18.179302931 CET	50122	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:18.184094906 CET	445	50122	39.74.29.1	192.168.2.4
Jan 14, 2025 21:04:18.793411970 CET	50128	445	192.168.2.4	95.154.143.226
Jan 14, 2025 21:04:18.798338890 CET	445	50128	95.154.143.226	192.168.2.4
Jan 14, 2025 21:04:18.798455954 CET	50128	445	192.168.2.4	95.154.143.226
Jan 14, 2025 21:04:18.798584938 CET	50128	445	192.168.2.4	95.154.143.226
Jan 14, 2025 21:04:18.798830032 CET	50129	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.803658009 CET	445	50128	95.154.143.226	192.168.2.4
Jan 14, 2025 21:04:18.803670883 CET	445	50129	95.154.143.1	192.168.2.4
Jan 14, 2025 21:04:18.803746939 CET	50128	445	192.168.2.4	95.154.143.226
Jan 14, 2025 21:04:18.803813934 CET	50129	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.803885937 CET	50129	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.804301977 CET	50130	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.808768034 CET	445	50129	95.154.143.1	192.168.2.4
Jan 14, 2025 21:04:18.808837891 CET	50129	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.809149981 CET	445	50130	95.154.143.1	192.168.2.4
Jan 14, 2025 21:04:18.809223890 CET	50130	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.809273958 CET	50130	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:18.814074993 CET	445	50130	95.154.143.1	192.168.2.4
Jan 14, 2025 21:04:19.132407904 CET	445	50047	19.135.66.1	192.168.2.4
Jan 14, 2025 21:04:19.132623911 CET	50047	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:19.132642031 CET	50047	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:19.132721901 CET	50047	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:19.137547016 CET	445	50047	19.135.66.1	192.168.2.4
Jan 14, 2025 21:04:19.137577057 CET	445	50047	19.135.66.1	192.168.2.4
Jan 14, 2025 21:04:19.222738028 CET	445	50048	17.207.165.1	192.168.2.4
Jan 14, 2025 21:04:19.222852945 CET	50048	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:04:19.222913980 CET	50048	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:04:19.222975016 CET	50048	445	192.168.2.4	17.207.165.1
Jan 14, 2025 21:04:19.227674961 CET	445	50048	17.207.165.1	192.168.2.4
Jan 14, 2025 21:04:19.227763891 CET	445	50048	17.207.165.1	192.168.2.4
Jan 14, 2025 21:04:19.277555943 CET	50131	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.282392025 CET	445	50131	17.207.165.2	192.168.2.4
Jan 14, 2025 21:04:19.282522917 CET	50131	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.282582045 CET	50131	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.282996893 CET	50132	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.287832022 CET	445	50132	17.207.165.2	192.168.2.4
Jan 14, 2025 21:04:19.287919044 CET	50132	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.288064003 CET	50132	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.288278103 CET	445	50131	17.207.165.2	192.168.2.4
Jan 14, 2025 21:04:19.289570093 CET	445	50131	17.207.165.2	192.168.2.4
Jan 14, 2025 21:04:19.289623976 CET	50131	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:19.293118000 CET	445	50132	17.207.165.2	192.168.2.4
Jan 14, 2025 21:04:19.361917973 CET	445	50116	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:19.361989021 CET	50116	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:19.362061024 CET	50116	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:19.362112045 CET	50116	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:19.366862059 CET	445	50116	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:19.366910934 CET	445	50116	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:19.809067965 CET	50138	445	192.168.2.4	129.128.31.112
Jan 14, 2025 21:04:19.813935995 CET	445	50138	129.128.31.112	192.168.2.4
Jan 14, 2025 21:04:19.814033031 CET	50138	445	192.168.2.4	129.128.31.112
Jan 14, 2025 21:04:19.814100981 CET	50138	445	192.168.2.4	129.128.31.112
Jan 14, 2025 21:04:19.814296961 CET	50139	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.818955898 CET	445	50138	129.128.31.112	192.168.2.4
Jan 14, 2025 21:04:19.819083929 CET	50138	445	192.168.2.4	129.128.31.112
Jan 14, 2025 21:04:19.819087029 CET	445	50139	129.128.31.1	192.168.2.4
Jan 14, 2025 21:04:19.819174051 CET	50139	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.819295883 CET	50139	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.819618940 CET	50140	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.824244022 CET	445	50139	129.128.31.1	192.168.2.4
Jan 14, 2025 21:04:19.824311018 CET	50139	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.824426889 CET	445	50140	129.128.31.1	192.168.2.4
Jan 14, 2025 21:04:19.824489117 CET	50140	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.824518919 CET	50140	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:19.829339981 CET	445	50140	129.128.31.1	192.168.2.4
Jan 14, 2025 21:04:20.105587959 CET	50141	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:20.110490084 CET	445	50141	19.249.31.1	192.168.2.4
Jan 14, 2025 21:04:20.110591888 CET	50141	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:20.110652924 CET	50141	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:20.115714073 CET	445	50141	19.249.31.1	192.168.2.4
Jan 14, 2025 21:04:20.746632099 CET	50147	445	192.168.2.4	13.103.137.252
Jan 14, 2025 21:04:20.751518965 CET	445	50147	13.103.137.252	192.168.2.4
Jan 14, 2025 21:04:20.751668930 CET	50147	445	192.168.2.4	13.103.137.252
Jan 14, 2025 21:04:20.751766920 CET	50147	445	192.168.2.4	13.103.137.252
Jan 14, 2025 21:04:20.752038002 CET	50148	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.756795883 CET	445	50147	13.103.137.252	192.168.2.4
Jan 14, 2025 21:04:20.756884098 CET	50147	445	192.168.2.4	13.103.137.252
Jan 14, 2025 21:04:20.756988049 CET	445	50148	13.103.137.1	192.168.2.4
Jan 14, 2025 21:04:20.757101059 CET	50148	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.757162094 CET	50148	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.757488012 CET	50149	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.762073040 CET	445	50148	13.103.137.1	192.168.2.4
Jan 14, 2025 21:04:20.762151003 CET	50148	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.762254953 CET	445	50149	13.103.137.1	192.168.2.4
Jan 14, 2025 21:04:20.762320042 CET	50149	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.762358904 CET	50149	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:20.767081022 CET	445	50149	13.103.137.1	192.168.2.4
Jan 14, 2025 21:04:21.129371881 CET	445	50051	174.8.52.1	192.168.2.4
Jan 14, 2025 21:04:21.129453897 CET	50051	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:21.129496098 CET	50051	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:21.129519939 CET	50051	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:21.134435892 CET	445	50051	174.8.52.1	192.168.2.4
Jan 14, 2025 21:04:21.134466887 CET	445	50051	174.8.52.1	192.168.2.4
Jan 14, 2025 21:04:21.273180962 CET	445	50052	51.178.254.1	192.168.2.4
Jan 14, 2025 21:04:21.273304939 CET	50052	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:04:21.274719954 CET	50052	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:04:21.274897099 CET	50052	445	192.168.2.4	51.178.254.1
Jan 14, 2025 21:04:21.279577017 CET	445	50052	51.178.254.1	192.168.2.4
Jan 14, 2025 21:04:21.279673100 CET	445	50052	51.178.254.1	192.168.2.4
Jan 14, 2025 21:04:21.340138912 CET	50155	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.345093966 CET	445	50155	51.178.254.2	192.168.2.4
Jan 14, 2025 21:04:21.345172882 CET	50155	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.345268965 CET	50155	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.345633984 CET	50156	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.350263119 CET	445	50155	51.178.254.2	192.168.2.4
Jan 14, 2025 21:04:21.350310087 CET	50155	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.350478888 CET	445	50156	51.178.254.2	192.168.2.4
Jan 14, 2025 21:04:21.350543976 CET	50156	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.350564003 CET	50156	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:21.355478048 CET	445	50156	51.178.254.2	192.168.2.4
Jan 14, 2025 21:04:21.621623039 CET	50157	445	192.168.2.4	214.131.32.23
Jan 14, 2025 21:04:21.626485109 CET	445	50157	214.131.32.23	192.168.2.4
Jan 14, 2025 21:04:21.626621962 CET	50157	445	192.168.2.4	214.131.32.23
Jan 14, 2025 21:04:21.626796007 CET	50157	445	192.168.2.4	214.131.32.23
Jan 14, 2025 21:04:21.627005100 CET	50158	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.631598949 CET	445	50157	214.131.32.23	192.168.2.4
Jan 14, 2025 21:04:21.631680965 CET	50157	445	192.168.2.4	214.131.32.23
Jan 14, 2025 21:04:21.631756067 CET	445	50158	214.131.32.1	192.168.2.4
Jan 14, 2025 21:04:21.631824017 CET	50158	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.631892920 CET	50158	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.632236958 CET	50159	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.637017012 CET	445	50159	214.131.32.1	192.168.2.4
Jan 14, 2025 21:04:21.637095928 CET	50159	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.637111902 CET	50159	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.637437105 CET	445	50158	214.131.32.1	192.168.2.4
Jan 14, 2025 21:04:21.637484074 CET	50158	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:21.641891003 CET	445	50159	214.131.32.1	192.168.2.4
Jan 14, 2025 21:04:22.136919022 CET	50165	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:22.143074036 CET	445	50165	19.135.66.1	192.168.2.4
Jan 14, 2025 21:04:22.143172026 CET	50165	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:22.143233061 CET	50165	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:22.148466110 CET	445	50165	19.135.66.1	192.168.2.4
Jan 14, 2025 21:04:22.371140957 CET	50166	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:22.376250982 CET	445	50166	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:22.376348972 CET	50166	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:22.376379967 CET	50166	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:22.381211996 CET	445	50166	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:22.449551105 CET	50167	445	192.168.2.4	165.82.220.242
Jan 14, 2025 21:04:22.455291986 CET	445	50167	165.82.220.242	192.168.2.4
Jan 14, 2025 21:04:22.455383062 CET	50167	445	192.168.2.4	165.82.220.242
Jan 14, 2025 21:04:22.455406904 CET	50167	445	192.168.2.4	165.82.220.242
Jan 14, 2025 21:04:22.455495119 CET	50168	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.461105108 CET	445	50168	165.82.220.1	192.168.2.4
Jan 14, 2025 21:04:22.461179972 CET	50168	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.461210012 CET	50168	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.461584091 CET	50169	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.462707043 CET	445	50167	165.82.220.242	192.168.2.4
Jan 14, 2025 21:04:22.462765932 CET	50167	445	192.168.2.4	165.82.220.242
Jan 14, 2025 21:04:22.466169119 CET	445	50168	165.82.220.1	192.168.2.4
Jan 14, 2025 21:04:22.466331959 CET	50168	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.466392994 CET	445	50169	165.82.220.1	192.168.2.4
Jan 14, 2025 21:04:22.466459990 CET	50169	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.466515064 CET	50169	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:22.471251965 CET	445	50169	165.82.220.1	192.168.2.4
Jan 14, 2025 21:04:23.146269083 CET	445	50055	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:23.146351099 CET	50055	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:23.146389008 CET	50055	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:23.146440983 CET	50055	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:23.151199102 CET	445	50055	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:23.151211023 CET	445	50055	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:23.215245962 CET	50175	445	192.168.2.4	38.251.3.58
Jan 14, 2025 21:04:23.220096111 CET	445	50175	38.251.3.58	192.168.2.4
Jan 14, 2025 21:04:23.220208883 CET	50175	445	192.168.2.4	38.251.3.58
Jan 14, 2025 21:04:23.220276117 CET	50175	445	192.168.2.4	38.251.3.58
Jan 14, 2025 21:04:23.220411062 CET	50176	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:23.225234985 CET	445	50176	38.251.3.1	192.168.2.4
Jan 14, 2025 21:04:23.225366116 CET	50176	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:23.225743055 CET	50176	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:23.225816965 CET	50177	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:23.228252888 CET	445	50175	38.251.3.58	192.168.2.4
Jan 14, 2025 21:04:23.230674982 CET	445	50177	38.251.3.1	192.168.2.4
Jan 14, 2025 21:04:23.231062889 CET	50177	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:23.231062889 CET	50177	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:23.232342958 CET	445	50176	38.251.3.1	192.168.2.4
Jan 14, 2025 21:04:23.236550093 CET	445	50177	38.251.3.1	192.168.2.4
Jan 14, 2025 21:04:23.244152069 CET	445	50175	38.251.3.58	192.168.2.4
Jan 14, 2025 21:04:23.244219065 CET	50175	445	192.168.2.4	38.251.3.58
Jan 14, 2025 21:04:23.245194912 CET	445	50176	38.251.3.1	192.168.2.4
Jan 14, 2025 21:04:23.245274067 CET	50176	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:24.012844086 CET	445	50166	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:24.012996912 CET	50166	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:24.013046980 CET	50166	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:24.013098001 CET	50166	445	192.168.2.4	85.26.53.1
Jan 14, 2025 21:04:24.018440008 CET	445	50166	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:24.018475056 CET	445	50166	85.26.53.1	192.168.2.4
Jan 14, 2025 21:04:24.074542046 CET	50184	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.079606056 CET	445	50184	85.26.53.2	192.168.2.4
Jan 14, 2025 21:04:24.079687119 CET	50184	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.079730988 CET	50184	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.080188990 CET	50185	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.085155964 CET	445	50184	85.26.53.2	192.168.2.4
Jan 14, 2025 21:04:24.085186958 CET	445	50185	85.26.53.2	192.168.2.4
Jan 14, 2025 21:04:24.085225105 CET	50184	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.085266113 CET	50185	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.085314989 CET	50185	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:24.090364933 CET	445	50185	85.26.53.2	192.168.2.4
Jan 14, 2025 21:04:24.136997938 CET	50186	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:24.142044067 CET	445	50186	174.8.52.1	192.168.2.4
Jan 14, 2025 21:04:24.142127991 CET	50186	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:24.142200947 CET	50186	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:24.147366047 CET	445	50186	174.8.52.1	192.168.2.4
Jan 14, 2025 21:04:25.161864042 CET	445	50058	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:25.162039042 CET	50058	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:25.162113905 CET	50058	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:25.162113905 CET	50058	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:25.166860104 CET	445	50058	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:25.166874886 CET	445	50058	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:25.644534111 CET	445	50059	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:25.644629955 CET	50059	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:25.644694090 CET	50059	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:25.644761086 CET	50059	445	192.168.2.4	7.204.138.1
Jan 14, 2025 21:04:25.650188923 CET	445	50059	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:25.650217056 CET	445	50059	7.204.138.1	192.168.2.4
Jan 14, 2025 21:04:25.699678898 CET	50200	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.704493999 CET	445	50200	7.204.138.2	192.168.2.4
Jan 14, 2025 21:04:25.704600096 CET	50200	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.704641104 CET	50200	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.705079079 CET	50201	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.710661888 CET	445	50200	7.204.138.2	192.168.2.4
Jan 14, 2025 21:04:25.710679054 CET	445	50201	7.204.138.2	192.168.2.4
Jan 14, 2025 21:04:25.710724115 CET	50200	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.710778952 CET	50201	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.710927010 CET	50201	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:25.715857983 CET	445	50201	7.204.138.2	192.168.2.4
Jan 14, 2025 21:04:26.152478933 CET	50209	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:26.157305002 CET	445	50209	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:26.157414913 CET	50209	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:26.157562971 CET	50209	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:26.162301064 CET	445	50209	206.149.19.1	192.168.2.4
Jan 14, 2025 21:04:27.159427881 CET	445	50062	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:27.159559965 CET	50062	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:27.159600973 CET	50062	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:27.159635067 CET	50062	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:27.164457083 CET	445	50062	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:27.164470911 CET	445	50062	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:27.302515030 CET	445	50063	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:27.302649975 CET	50063	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:27.302716017 CET	50063	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:27.302779913 CET	50063	445	192.168.2.4	27.44.253.1
Jan 14, 2025 21:04:27.307450056 CET	445	50063	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:27.307504892 CET	445	50063	27.44.253.1	192.168.2.4
Jan 14, 2025 21:04:27.355889082 CET	50224	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.360738039 CET	445	50224	27.44.253.2	192.168.2.4
Jan 14, 2025 21:04:27.360817909 CET	50224	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.360860109 CET	50224	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.361321926 CET	50226	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.365771055 CET	445	50224	27.44.253.2	192.168.2.4
Jan 14, 2025 21:04:27.365827084 CET	50224	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.366094112 CET	445	50226	27.44.253.2	192.168.2.4
Jan 14, 2025 21:04:27.366153002 CET	50226	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.366215944 CET	50226	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:27.370940924 CET	445	50226	27.44.253.2	192.168.2.4
Jan 14, 2025 21:04:28.176917076 CET	50237	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:28.181770086 CET	445	50237	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:28.184892893 CET	50237	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:28.220992088 CET	50237	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:28.225759029 CET	445	50237	30.53.7.1	192.168.2.4
Jan 14, 2025 21:04:29.052692890 CET	445	50066	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:29.053857088 CET	50066	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:29.053905010 CET	50066	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:29.053978920 CET	50066	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:29.058775902 CET	445	50066	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:29.058789015 CET	445	50066	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:29.321914911 CET	445	50067	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:29.322010994 CET	50067	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:29.322068930 CET	50067	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:29.322103977 CET	50067	445	192.168.2.4	19.72.220.1
Jan 14, 2025 21:04:29.326869011 CET	445	50067	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:29.326894999 CET	445	50067	19.72.220.1	192.168.2.4
Jan 14, 2025 21:04:29.386832952 CET	50258	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.391813040 CET	445	50258	19.72.220.2	192.168.2.4
Jan 14, 2025 21:04:29.391896963 CET	50258	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.391942024 CET	50258	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.392362118 CET	50259	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.396871090 CET	445	50258	19.72.220.2	192.168.2.4
Jan 14, 2025 21:04:29.396927118 CET	50258	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.397154093 CET	445	50259	19.72.220.2	192.168.2.4
Jan 14, 2025 21:04:29.397227049 CET	50259	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.397255898 CET	50259	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:29.402060032 CET	445	50259	19.72.220.2	192.168.2.4
Jan 14, 2025 21:04:30.168157101 CET	50275	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:30.173028946 CET	445	50275	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:30.173172951 CET	50275	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:30.173172951 CET	50275	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:30.178014040 CET	445	50275	76.215.58.1	192.168.2.4
Jan 14, 2025 21:04:30.849570990 CET	445	50070	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:30.851455927 CET	50070	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:30.851551056 CET	50070	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:30.851614952 CET	50070	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:30.856417894 CET	445	50070	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:30.856427908 CET	445	50070	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:31.316461086 CET	445	50071	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:31.316550016 CET	50071	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:31.316615105 CET	50071	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:31.316615105 CET	50071	445	192.168.2.4	172.230.50.1
Jan 14, 2025 21:04:31.321399927 CET	445	50071	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:31.321427107 CET	445	50071	172.230.50.1	192.168.2.4
Jan 14, 2025 21:04:31.371357918 CET	50303	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.376226902 CET	445	50303	172.230.50.2	192.168.2.4
Jan 14, 2025 21:04:31.376317024 CET	50303	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.376425982 CET	50303	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.376770973 CET	50305	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.381459951 CET	445	50303	172.230.50.2	192.168.2.4
Jan 14, 2025 21:04:31.381568909 CET	445	50305	172.230.50.2	192.168.2.4
Jan 14, 2025 21:04:31.381663084 CET	50305	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.381705046 CET	50305	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.381949902 CET	50303	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:31.386527061 CET	445	50305	172.230.50.2	192.168.2.4
Jan 14, 2025 21:04:32.058665037 CET	50323	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:32.063548088 CET	445	50323	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:32.063746929 CET	50323	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:32.063766003 CET	50323	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:32.068536043 CET	445	50323	3.121.48.1	192.168.2.4
Jan 14, 2025 21:04:32.429497957 CET	445	50074	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:32.429574966 CET	50074	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:32.429611921 CET	50074	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:32.429640055 CET	50074	445	192.168.2.4	106.197.232.1
Jan 14, 2025 21:04:32.434622049 CET	445	50074	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:32.434643984 CET	445	50074	106.197.232.1	192.168.2.4
Jan 14, 2025 21:04:33.349908113 CET	445	50075	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:33.350150108 CET	50075	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:33.364295006 CET	50075	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:33.364343882 CET	50075	445	192.168.2.4	15.181.139.1
Jan 14, 2025 21:04:33.370371103 CET	445	50075	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:33.370383024 CET	445	50075	15.181.139.1	192.168.2.4
Jan 14, 2025 21:04:33.463903904 CET	50373	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.468805075 CET	445	50373	15.181.139.2	192.168.2.4
Jan 14, 2025 21:04:33.468873978 CET	50373	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.468895912 CET	50373	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.474371910 CET	445	50373	15.181.139.2	192.168.2.4
Jan 14, 2025 21:04:33.474425077 CET	50373	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.477610111 CET	50376	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.482464075 CET	445	50376	15.181.139.2	192.168.2.4
Jan 14, 2025 21:04:33.482537031 CET	50376	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.482573032 CET	50376	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:33.487350941 CET	445	50376	15.181.139.2	192.168.2.4
Jan 14, 2025 21:04:33.857338905 CET	50393	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:33.862854958 CET	445	50393	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:33.862941027 CET	50393	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:33.865673065 CET	50393	445	192.168.2.4	48.100.13.1
Jan 14, 2025 21:04:33.870994091 CET	445	50393	48.100.13.1	192.168.2.4
Jan 14, 2025 21:04:34.068300962 CET	445	50078	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:34.068388939 CET	50078	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:34.070018053 CET	50078	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:34.070085049 CET	50078	445	192.168.2.4	119.29.17.1
Jan 14, 2025 21:04:34.074866056 CET	445	50078	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:34.074985027 CET	445	50078	119.29.17.1	192.168.2.4
Jan 14, 2025 21:04:35.365277052 CET	445	50080	155.185.174.1	192.168.2.4
Jan 14, 2025 21:04:35.365324974 CET	50080	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:35.410126925 CET	445	50083	176.153.185.1	192.168.2.4
Jan 14, 2025 21:04:35.410218954 CET	50083	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:36.476735115 CET	445	50089	197.203.23.3	192.168.2.4
Jan 14, 2025 21:04:36.478713989 CET	50089	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:36.725162029 CET	445	50092	152.209.52.1	192.168.2.4
Jan 14, 2025 21:04:36.728883982 CET	50092	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:37.039747953 CET	50113	445	192.168.2.4	148.126.233.2
Jan 14, 2025 21:04:37.040061951 CET	50259	445	192.168.2.4	19.72.220.2
Jan 14, 2025 21:04:37.040090084 CET	50201	445	192.168.2.4	7.204.138.2
Jan 14, 2025 21:04:37.040150881 CET	50185	445	192.168.2.4	85.26.53.2
Jan 14, 2025 21:04:37.040193081 CET	50226	445	192.168.2.4	27.44.253.2
Jan 14, 2025 21:04:37.040230036 CET	50165	445	192.168.2.4	19.135.66.1
Jan 14, 2025 21:04:37.040290117 CET	50132	445	192.168.2.4	17.207.165.2
Jan 14, 2025 21:04:37.040318966 CET	50080	445	192.168.2.4	155.185.174.1
Jan 14, 2025 21:04:37.040388107 CET	50083	445	192.168.2.4	176.153.185.1
Jan 14, 2025 21:04:37.040448904 CET	50092	445	192.168.2.4	152.209.52.1
Jan 14, 2025 21:04:37.040487051 CET	50089	445	192.168.2.4	197.203.23.3
Jan 14, 2025 21:04:37.040488958 CET	50098	445	192.168.2.4	93.140.22.1
Jan 14, 2025 21:04:37.040517092 CET	50106	445	192.168.2.4	135.107.147.1
Jan 14, 2025 21:04:37.040550947 CET	50122	445	192.168.2.4	39.74.29.1
Jan 14, 2025 21:04:37.040575981 CET	50130	445	192.168.2.4	95.154.143.1
Jan 14, 2025 21:04:37.040612936 CET	50140	445	192.168.2.4	129.128.31.1
Jan 14, 2025 21:04:37.040648937 CET	50141	445	192.168.2.4	19.249.31.1
Jan 14, 2025 21:04:37.040699959 CET	50149	445	192.168.2.4	13.103.137.1
Jan 14, 2025 21:04:37.040764093 CET	50159	445	192.168.2.4	214.131.32.1
Jan 14, 2025 21:04:37.040783882 CET	50156	445	192.168.2.4	51.178.254.2
Jan 14, 2025 21:04:37.040793896 CET	50169	445	192.168.2.4	165.82.220.1
Jan 14, 2025 21:04:37.040908098 CET	50186	445	192.168.2.4	174.8.52.1
Jan 14, 2025 21:04:37.040932894 CET	50209	445	192.168.2.4	206.149.19.1
Jan 14, 2025 21:04:37.040934086 CET	50177	445	192.168.2.4	38.251.3.1
Jan 14, 2025 21:04:37.040985107 CET	50275	445	192.168.2.4	76.215.58.1
Jan 14, 2025 21:04:37.041014910 CET	50237	445	192.168.2.4	30.53.7.1
Jan 14, 2025 21:04:37.041073084 CET	50305	445	192.168.2.4	172.230.50.2
Jan 14, 2025 21:04:37.041120052 CET	50323	445	192.168.2.4	3.121.48.1
Jan 14, 2025 21:04:37.041224003 CET	50376	445	192.168.2.4	15.181.139.2
Jan 14, 2025 21:04:37.041321039 CET	50393	445	192.168.2.4	48.100.13.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:03:28.144912004 CET	50991	53	192.168.2.4	1.1.1.1
Jan 14, 2025 21:03:28.451952934 CET	53	50991	1.1.1.1	192.168.2.4
Jan 14, 2025 21:03:29.064383030 CET	50368	53	192.168.2.4	1.1.1.1
Jan 14, 2025 21:03:29.546581030 CET	53	50368	1.1.1.1	192.168.2.4
Jan 14, 2025 21:03:37.352080107 CET	138	138	192.168.2.4	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 21:03:28.144912004 CET	192.168.2.4	1.1.1.1	0x3e4e	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:03:29.064383030 CET	192.168.2.4	1.1.1.1	0x8ead	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 21:03:28.451952934 CET	1.1.1.1	192.168.2.4	0x3e4e	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:03:29.546581030 CET	1.1.1.1	192.168.2.4	0x8ead	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 21:03:29.546581030 CET	1.1.1.1	192.168.2.4	0x8ead	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	103.224.212.215	80	1696	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:03:28.469108105 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:03:29.054085970 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:03:28 GMT server: Apache set-cookie: __tad=1736885008.2630796; expires=Fri, 12-Jan-2035 20:03:28 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-2865-a082-552e366d7d4c content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	199.59.243.228	80	1696	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:03:29.568738937 CET	169	OUT	GET /?subid1=20250115-0703-2865-a082-552e366d7d4c HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:03:30.026355028 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:03:29 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 229b9e3a-b57d-4a5f-bf1e-23a1a6fda947 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_BFiB23KC7Oe4Fc5fqPgBynyGHtfxB9duwwH1VRuoszXxovK75IBBOKWze3Oe5GjQh5kpJPkOGFpGBe1G9hg+uQ== set-cookie: parking_session=229b9e3a-b57d-4a5f-bf1e-23a1a6fda947; expires=Tue, 14 Jan 2025 20:18:29 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 42 46 69 42 32 33 4b 43 37 4f 65 34 46 63 35 66 71 50 67 42 79 6e 79 47 48 74 66 78 42 39 64 75 77 77 48 31 56 52 75 6f 73 7a 58 78 6f 76 4b 37 35 49 42 42 4f 4b 57 7a 65 33 4f 65 35 47 6a 51 68 35 6b 70 4a 50 6b 4f 47 46 70 47 42 65 31 47 39 68 67 2b 75 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_BFiB23KC7Oe4Fc5fqPgBynyGHtfxB9duwwH1VRuoszXxovK75IBBOKWze3Oe5GjQh5kpJPkOGFpGBe1G9hg+uQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:03:30.026376009 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjI5YjllM2EtYjU3ZC00YTVmLWJmMWUtMjNhMWE2ZmRhOTQ3IiwicGFnZV90aW1lIjoxNzM2ODg1MDA5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	103.224.212.215	80	3300	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:03:30.296466112 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:03:30.914510012 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:03:30 GMT server: Apache set-cookie: __tad=1736885010.1930978; expires=Fri, 12-Jan-2035 20:03:30 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3025-82b1-2f8f29489b53 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	199.59.243.228	80	3300	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:03:30.936599970 CET	169	OUT	GET /?subid1=20250115-0703-3025-82b1-2f8f29489b53 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:03:31.401421070 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:03:30 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 4a15100d-04ba-4176-bae7-9cf86b74a058 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JMqLyYvoFpOuSNxwm4hjG5wXMpqvHwHLe9D3M1CCz5jJzfCS6DPr0ooX+YeEUN2oR8DLqo9WtqbRFnZ4F6wCew== set-cookie: parking_session=4a15100d-04ba-4176-bae7-9cf86b74a058; expires=Tue, 14 Jan 2025 20:18:31 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 4d 71 4c 79 59 76 6f 46 70 4f 75 53 4e 78 77 6d 34 68 6a 47 35 77 58 4d 70 71 76 48 77 48 4c 65 39 44 33 4d 31 43 43 7a 35 6a 4a 7a 66 43 53 36 44 50 72 30 6f 6f 58 2b 59 65 45 55 4e 32 6f 52 38 44 4c 71 6f 39 57 74 71 62 52 46 6e 5a 34 46 36 77 43 65 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JMqLyYvoFpOuSNxwm4hjG5wXMpqvHwHLe9D3M1CCz5jJzfCS6DPr0ooX+YeEUN2oR8DLqo9WtqbRFnZ4F6wCew==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:03:31.401504993 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGExNTEwMGQtMDRiYS00MTc2LWJhZTctOWNmODZiNzRhMDU4IiwicGFnZV90aW1lIjoxNzM2ODg1MDExLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	103.224.212.215	80	5936	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:03:31.068949938 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736885008.2630796
Jan 14, 2025 21:03:31.673543930 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:03:31 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312e-89e7-547aa0526945 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	199.59.243.228	80	5936	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:03:31.683603048 CET	231	OUT	GET /?subid1=20250115-0703-312e-89e7-547aa0526945 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=229b9e3a-b57d-4a5f-bf1e-23a1a6fda947
Jan 14, 2025 21:03:32.166584969 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:03:32 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: f9064d32-7933-46b9-a99b-b843f03126e6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Z9A65/edJ3qdE2x+mWyB7MstdV+/Fv5WIgczi1gl2/xKrENfnPwUVm3gKzFEkLPPX0H34e8GNK2EbxG/c/ywBw== set-cookie: parking_session=229b9e3a-b57d-4a5f-bf1e-23a1a6fda947; expires=Tue, 14 Jan 2025 20:18:32 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 5a 39 41 36 35 2f 65 64 4a 33 71 64 45 32 78 2b 6d 57 79 42 37 4d 73 74 64 56 2b 2f 46 76 35 57 49 67 63 7a 69 31 67 6c 32 2f 78 4b 72 45 4e 66 6e 50 77 55 56 6d 33 67 4b 7a 46 45 6b 4c 50 50 58 30 48 33 34 65 38 47 4e 4b 32 45 62 78 47 2f 63 2f 79 77 42 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Z9A65/edJ3qdE2x+mWyB7MstdV+/Fv5WIgczi1gl2/xKrENfnPwUVm3gKzFEkLPPX0H34e8GNK2EbxG/c/ywBw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 21:03:32.166608095 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjI5YjllM2EtYjU3ZC00YTVmLWJmMWUtMjNhMWE2ZmRhOTQ3IiwicGFnZV90aW1lIjoxNzM2ODg1MDEyLCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	15:03:26
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll"
Imagebase:	0x640000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:03:26
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:03:26
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:03:26
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mlfk8sYaiy.dll,PlayGame
Imagebase:	0x90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:03:26
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",#1
Imagebase:	0x90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:03:26
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E12B5051C561A8E11FFF28902B1A9A70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1792421376.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.1792541209.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:03:28
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E12B5051C561A8E11FFF28902B1A9A70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2466371116.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1813727763.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1813606958.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2466716906.0000000002274000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:03:29
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\mlfk8sYaiy.dll",PlayGame
Imagebase:	0x90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:03:29
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E12B5051C561A8E11FFF28902B1A9A70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1821887861.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1838019382.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1822046137.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.1838555240.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F5C0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000005.00000002.1827586506.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1827570802.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827603127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827669855.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.1827586506.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1827570802.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827603127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827669855.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.1827586506.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1827570802.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827603127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827669855.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F5C0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000005.00000002.1827586506.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1827570802.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827603127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827669855.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F5C0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.1827586506.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1827570802.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827603127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827624899.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827669855.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1827758750.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 3300, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F5C0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2465065380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2465045529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465094479.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465267655.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465291256.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2465065380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2465045529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465094479.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465267655.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465291256.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F5C0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.2465065380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2465045529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465094479.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465267655.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465291256.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F5C0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
C:\%s\%s, xrefs: 00407DFB
CreateFileA, xrefs: 00407D0F
D, xrefs: 00407ED3
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
CloseHandle, xrefs: 00407D29
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000006.00000002.2465065380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2465045529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465094479.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465267655.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465291256.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2465065380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2465045529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465094479.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465128397.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465247372.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465267655.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465291256.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2465382842.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mlfk8sYaiy.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvr.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
mlfk8sYaiy.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON