Edit tour

Windows Analysis Report
m9oUIFauYl.dll

Overview

General Information

Sample name:	m9oUIFauYl.dll renamed because original name is a hash value
Original sample name:	5a6865c2a2cf22984c1aaf62d6f4c736.dll
Analysis ID:	1591282
MD5:	5a6865c2a2cf22984c1aaf62d6f4c736
SHA1:	3f4aaa1d271fa4cc65c0c14c626b5b3d7d1dcee3
SHA256:	84efa21f72b2dea0b1f46c1a13dc3d231b1e0358290994c3eeac480012e4b96a
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3260 cmdline: loaddll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2544 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6288 cmdline: rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6772 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 1AA4152354EE92FDB2C8E1F11381A8E5)

rundll32.exe (PID: 2016 cmdline: rundll32.exe C:\Users\user\Desktop\m9oUIFauYl.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5580 cmdline: rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6060 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 1AA4152354EE92FDB2C8E1F11381A8E5)

mssecsvr.exe (PID: 2052 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 1AA4152354EE92FDB2C8E1F11381A8E5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
m9oUIFauYl.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
m9oUIFauYl.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
m9oUIFauYl.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2194580978.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2166045761.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2188213919.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.2209893875.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 6772	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 2052	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 6060	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.1d50084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d82128.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.1d82128.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22aa96c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.22aa96c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22aa96c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22aa96c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.22aa96c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22788c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5f104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5f104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5f104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d5f104.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d82128.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d82128.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.1d82128.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22788c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22788c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.22788c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.2287948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2287948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2287948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2287948.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d50084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d50084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d50084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5f104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5f104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5f104.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22838e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22838e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.22838e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5b0a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5b0a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5b0a4.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.2287948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2287948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2287948.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:14.541379+0100	2803304	3	Unknown Traffic	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-14T21:10:16.045095+0100	2803304	3	Unknown Traffic	192.168.2.6	49713	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:13.623857+0100	2830018	1	A Network Trojan was detected	192.168.2.6	51254	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: m9oUIFauYl.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043c7	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8f0	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebd	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 96%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 96%

Multi AV Scanner detection for submitted file

Source: m9oUIFauYl.dll	Virustotal: Detection: 91%			Perma Link
Source: m9oUIFauYl.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: m9oUIFauYl.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: m9oUIFauYl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49894 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50470 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50631 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.6:51254 -> 1.1.1.1:53

Source: unknown

Network traffic detected: IP country count 13

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0710-142d-9b39-6bada5abe8f0 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885414.2680868
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0710-16e0-bd1a-f1b048c043c7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=1540a814-dc09-4b25-9fe0-996b538985e8

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49713 -> 103.224.212.215:80

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49894 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.209
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.209
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.209
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.209
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.167.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.219
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.219
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.219
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.219
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.86.16.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.245
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.245
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.245
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.245
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.95.118.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0710-142d-9b39-6bada5abe8f0 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885414.2680868
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0710-16e0-bd1a-f1b048c043c7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=1540a814-dc09-4b25-9fe0-996b538985e8

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2210343817.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8
Source: mssecsvr.exe, 00000008.00000002.2837626963.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebd
Source: mssecsvr.exe, 0000000A.00000002.2210343817.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043
Source: m9oUIFauYl.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2202680936.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2210343817.0000000000998000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2210343817.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 0000000A.00000002.2210343817.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%
Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L
Source: mssecsvr.exe, 00000008.00000002.2837626963.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e
Source: mssecsvr.exe, 00000008.00000002.2837626963.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/v
Source: mssecsvr.exe, 0000000A.00000002.2210343817.00000000009ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/z
Source: mssecsvr.exe, 00000008.00000002.2836859666.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 50470 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50631 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50631
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50470
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50470 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50631 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: m9oUIFauYl.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvr.exe.22aa96c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d82128.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22788c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d50084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22838e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2287948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2194580978.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2166045761.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2188213919.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2209893875.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 2052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6060, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: m9oUIFauYl.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: m9oUIFauYl.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d50084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d82128.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d82128.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22aa96c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22aa96c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22aa96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22aa96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22788c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d82128.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d82128.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22788c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22788c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d50084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d50084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22838e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22838e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2287948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2287948.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: tasksche.exe.6.dr

Static PE information: No import functions for PE file found

Source: m9oUIFauYl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: m9oUIFauYl.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: m9oUIFauYl.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d50084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d82128.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d82128.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22aa96c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22aa96c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22aa96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22aa96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22788c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d82128.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d82128.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22788c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22788c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2287948.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d50084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d50084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22838e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22838e8.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2287948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2287948.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: m9oUIFauYl.dll, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3432:120:WilError_03

Source: m9oUIFauYl.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m9oUIFauYl.dll,PlayGame

Source: m9oUIFauYl.dll	Virustotal: Detection: 91%
Source: m9oUIFauYl.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m9oUIFauYl.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m9oUIFauYl.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: m9oUIFauYl.dll

Static file information: File size 5267459 > 1048576

Source: m9oUIFauYl.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.6049042203582955

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 5724	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5724	Thread sleep time: -192000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5660	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5660	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5724	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000008.00000002.2837626963.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4*
Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2837626963.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2210343817.0000000000998000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2210343817.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000008.00000002.2837626963.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: mssecsvr.exe, 00000006.00000002.2202680936.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
m9oUIFauYl.dll	92%	Virustotal		Browse
m9oUIFauYl.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
m9oUIFauYl.dll	100%	Avira	TR/AD.DPulsarShellcode.ujeuv
m9oUIFauYl.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043c7	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8f0	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebd	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043c7	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8f0	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L	mssecsvr.exe, 00000006.00000002.2202680936.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.2202680936.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	m9oUIFauYl.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebd	mssecsvr.exe, 00000008.00000002.2837626963.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%	mssecsvr.exe, 0000000A.00000002.2210343817.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	mssecsvr.exe, 00000008.00000002.2837626963.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043	mssecsvr.exe, 0000000A.00000002.2210343817.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/z	mssecsvr.exe, 0000000A.00000002.2210343817.00000000009ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2836859666.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8	mssecsvr.exe, 00000006.00000002.2202680936.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/v	mssecsvr.exe, 00000008.00000002.2837626963.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	mssecsvr.exe, 00000006.00000002.2202680936.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2210343817.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
179.57.103.1	unknown	Chile	14117	TelefonicadelSurSACL	false
179.57.103.2	unknown	Chile	14117	TelefonicadelSurSACL	false
209.29.139.2	unknown	Canada	852	ASN852CA	false
209.29.139.1	unknown	Canada	852	ASN852CA	false
78.71.117.88	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
34.177.88.54	unknown	United States	2686	ATGS-MMD-ASUS	false
101.240.13.197	unknown	China	17429	BGCTVNETBEIJINGGEHUACATVNETWORKCOLTDCN	false
179.57.103.3	unknown	Chile	14117	TelefonicadelSurSACL	false
24.92.19.8	unknown	United States	33363	BHN-33363US	false
124.104.82.171	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	false
24.92.19.2	unknown	United States	33363	BHN-33363US	false
24.92.19.1	unknown	United States	33363	BHN-33363US	false
191.205.25.2	unknown	Brazil	27699	TELEFONICABRASILSABR	false
191.205.25.1	unknown	Brazil	27699	TELEFONICABRASILSABR	false
101.240.13.1	unknown	China	17429	BGCTVNETBEIJINGGEHUACATVNETWORKCOLTDCN	false
205.115.6.1	unknown	United States	5972	DNIC-ASBLK-05800-06055US	false
86.146.125.1	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
86.146.125.2	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
217.202.110.1	unknown	Italy	16232	ASN-TIMServiceProviderIT	false
78.71.117.1	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
223.113.3.1	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
99.232.175.113	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
174.157.161.1	unknown	United States	10507	SPCSUS	false
112.117.58.143	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
201.76.167.209	unknown	Brazil	17222	MundivoxLTDABR	false
3.107.178.2	unknown	United States	16509	AMAZON-02US	false
3.107.178.1	unknown	United States	16509	AMAZON-02US	false
8.157.50.194	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
124.104.82.1	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	false
58.86.16.219	unknown	Taiwan; Republic of China (ROC)	18042	KBTKoosBroadbandTelecomTW	false
3.107.178.103	unknown	United States	16509	AMAZON-02US	false
34.177.88.1	unknown	United States	2686	ATGS-MMD-ASUS	false
43.112.215.82	unknown	Japan	4249	LILLY-ASUS	false
58.86.16.1	unknown	Taiwan; Republic of China (ROC)	18042	KBTKoosBroadbandTelecomTW	false
58.86.16.2	unknown	Taiwan; Republic of China (ROC)	18042	KBTKoosBroadbandTelecomTW	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591282
Start date and time:	2025-01-14 21:09:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	m9oUIFauYl.dll renamed because original name is a hash value
Original Sample Name:	5a6865c2a2cf22984c1aaf62d6f4c736.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.23.77.188, 199.232.214.172, 84.201.210.23, 13.107.253.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:10:15	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:10:50	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	103.224.212.215
	lJt3mQqCQl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	xIwkOnjSIa.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	i686.elf	Get hash	malicious	Unknown	Browse	209.171.55.67
	spc.elf	Get hash	malicious	Unknown	Browse	104.205.84.120
	arm5.elf	Get hash	malicious	Unknown	Browse	50.93.119.96
	x86_64.elf	Get hash	malicious	Unknown	Browse	199.126.116.113
	i486.elf	Get hash	malicious	Unknown	Browse	154.5.159.104
	mips.elf	Get hash	malicious	Unknown	Browse	199.175.181.117
	mpsl.elf	Get hash	malicious	Unknown	Browse	205.206.219.230
	3.elf	Get hash	malicious	Unknown	Browse	208.38.43.109
	res.mips.elf	Get hash	malicious	Unknown	Browse	207.216.32.185
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	108.181.189.7
TelefonicadelSurSACL	5.elf	Get hash	malicious	Unknown	Browse	200.126.91.165
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	201.186.115.106
	splx86.elf	Get hash	malicious	Unknown	Browse	201.187.97.199
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	179.56.129.164
	mpsl.elf	Get hash	malicious	Unknown	Browse	190.211.10.83
	elitebotnet.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	200.126.73.133
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	181.226.100.35
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	201.187.25.141
	rebirth.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	201.187.25.140
	xobftuootu.elf	Get hash	malicious	Unknown	Browse	190.211.5.139
TelefonicadelSurSACL	5.elf	Get hash	malicious	Unknown	Browse	200.126.91.165
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	201.186.115.106
	splx86.elf	Get hash	malicious	Unknown	Browse	201.187.97.199
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	179.56.129.164
	mpsl.elf	Get hash	malicious	Unknown	Browse	190.211.10.83
	elitebotnet.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	200.126.73.133
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	181.226.100.35
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	201.187.25.141
	rebirth.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	201.187.25.140
	xobftuootu.elf	Get hash	malicious	Unknown	Browse	190.211.5.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	http://titanys.mindsetmatters.buzz	Get hash	malicious	ScreenConnect Tool	Browse	173.222.162.64
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	173.222.162.64
	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	173.222.162.64
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	40.113.103.199
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	40.113.103.199
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	40.113.103.199
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	40.113.103.199
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.103.199
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.103.199

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.134926589064752
Encrypted:	false
SSDEEP:	49152:SQ2MSPbcBVQej/1INRx+TSqTdX1HkQo6S:t2PoBhz1aRxcSUDk36S
MD5:	AB88F9571878C22C2802B14C1898D9D8
SHA1:	7D169BCEB28607ADD5918EA5781E91EB6ACB4392
SHA-256:	7A2FEF5CBD59E0113F26AC3BB17B51FC66F5EF678031907D9506DC4478B48803
SHA-512:	456A87CCF7A079698FC6CD63C2C2B3F93407CD212E75C4C91A6965ACC0BDB37149D2E3E2F2A7A7CA0963E944754535FBBE823C5B5002ED123B21CEAE5A5A6BA2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.134926589064752
Encrypted:	false
SSDEEP:	49152:SQ2MSPbcBVQej/1INRx+TSqTdX1HkQo6S:t2PoBhz1aRxcSUDk36S
MD5:	AB88F9571878C22C2802B14C1898D9D8
SHA1:	7D169BCEB28607ADD5918EA5781E91EB6ACB4392
SHA-256:	7A2FEF5CBD59E0113F26AC3BB17B51FC66F5EF678031907D9506DC4478B48803
SHA-512:	456A87CCF7A079698FC6CD63C2C2B3F93407CD212E75C4C91A6965ACC0BDB37149D2E3E2F2A7A7CA0963E944754535FBBE823C5B5002ED123B21CEAE5A5A6BA2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.6688950007827157
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	m9oUIFauYl.dll
File size:	5'267'459 bytes
MD5:	5a6865c2a2cf22984c1aaf62d6f4c736
SHA1:	3f4aaa1d271fa4cc65c0c14c626b5b3d7d1dcee3
SHA256:	84efa21f72b2dea0b1f46c1a13dc3d231b1e0358290994c3eeac480012e4b96a
SHA512:	c13ab19d49c2390bbe1b17e39f73552ba6bd446f21cd5474e56dc33581ef9ae368731302224184dcd8567e3d70610124d02b7711302cdca6fe37704caf72f7be
SSDEEP:	49152:RnsQ2MSPbcBVQej/1INRx+TSqTdX1HkQo6S:1/2PoBhz1aRxcSUDk36S
TLSH:	723623E971BCA1FCD10579B494B78913E6F23C9E22FD6E0F9B8049660D03B59BB50A43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FB930F6E9EBh
cmp dword ptr [10003140h], 00000000h
jmp 00007FB930F6EA08h
cmp esi, 01h
je 00007FB930F6E9E7h
cmp esi, 02h
jne 00007FB930F6EA04h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FB930F6E9EBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FB930F6E9EEh
push edi
push esi
push ebx
call 00007FB930F6E8FAh
test eax, eax
jne 00007FB930F6E9E6h
xor eax, eax
jmp 00007FB930F6EA30h
push edi
push esi
push ebx
call 00007FB930F6E7ACh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FB930F6E9EEh
test eax, eax
jne 00007FB930F6EA19h
push edi
push eax
push ebx
call 00007FB930F6E8D6h
test esi, esi
je 00007FB930F6E9E7h
cmp esi, 03h
jne 00007FB930F6EA08h
push edi
push esi
push ebx
call 00007FB930F6E8C5h
test eax, eax
jne 00007FB930F6E9E5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FB930F6E9F3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FB930F6E9EAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	cb2a1f68d63de585f0aab09379d82ffe	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8783884048461914

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T21:10:13.623857+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.6	51254	1.1.1.1	53	UDP
2025-01-14T21:10:14.541379+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-14T21:10:16.045095+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49713	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:10:11.948571920 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:11.948625088 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:11.948740959 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:11.949225903 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:11.949263096 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.780100107 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.780210018 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.786201954 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.786217928 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.786627054 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.789913893 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.789973021 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.789982080 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.790085077 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.835335016 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.966912985 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.966995955 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:12.967078924 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.967323065 CET	49709	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:12.967366934 CET	443	49709	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:13.934376955 CET	49710	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:13.939418077 CET	80	49710	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:13.940608025 CET	49710	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:13.948256016 CET	49710	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:13.953310013 CET	80	49710	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:14.319528103 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:14.329405069 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:14.541198969 CET	80	49710	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:14.541244984 CET	80	49710	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:14.541378975 CET	49710	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:14.569120884 CET	49710	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:14.574214935 CET	80	49710	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:14.657510042 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:14.756752968 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:14.761650085 CET	80	49711	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:14.763499975 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:14.764482021 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:14.769298077 CET	80	49711	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:15.217813015 CET	80	49711	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:15.217858076 CET	80	49711	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:15.217883110 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:15.217920065 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:15.225486994 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:15.225518942 CET	49711	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:15.436964035 CET	49713	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:15.441833019 CET	80	49713	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:15.441921949 CET	49713	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:15.442264080 CET	49713	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:15.447060108 CET	80	49713	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.045011997 CET	80	49713	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.045078993 CET	80	49713	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.045094967 CET	49713	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.045192003 CET	49713	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.069205999 CET	49713	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.070854902 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.074105978 CET	80	49713	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.075670958 CET	80	49714	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:16.075793982 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.075819969 CET	49715	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.076160908 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.080662966 CET	80	49715	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.080740929 CET	49715	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.081079006 CET	49715	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.081110954 CET	80	49714	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:16.085848093 CET	80	49715	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.317035913 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:16.317265987 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:16.562834024 CET	80	49714	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:16.562855959 CET	80	49714	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:16.562916040 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.562956095 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.570806026 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.570806026 CET	49714	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.616127014 CET	49721	445	192.168.2.6	201.76.167.209
Jan 14, 2025 21:10:16.621117115 CET	445	49721	201.76.167.209	192.168.2.6
Jan 14, 2025 21:10:16.621196985 CET	49721	445	192.168.2.6	201.76.167.209
Jan 14, 2025 21:10:16.621860981 CET	49721	445	192.168.2.6	201.76.167.209
Jan 14, 2025 21:10:16.622124910 CET	49722	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.626852989 CET	445	49721	201.76.167.209	192.168.2.6
Jan 14, 2025 21:10:16.626929045 CET	49721	445	192.168.2.6	201.76.167.209
Jan 14, 2025 21:10:16.627051115 CET	445	49722	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:16.627130032 CET	49722	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.627166033 CET	49722	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.631074905 CET	49723	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.632308006 CET	445	49722	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:16.636046886 CET	445	49723	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:16.636082888 CET	445	49722	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:16.636115074 CET	49723	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.636142969 CET	49722	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.636182070 CET	49723	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:16.641024113 CET	445	49723	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:16.702507019 CET	80	49715	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.702559948 CET	80	49715	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.702567101 CET	49715	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.702615023 CET	49715	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.705490112 CET	49715	80	192.168.2.6	103.224.212.215
Jan 14, 2025 21:10:16.707045078 CET	49726	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.710342884 CET	80	49715	103.224.212.215	192.168.2.6
Jan 14, 2025 21:10:16.711910963 CET	80	49726	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:16.711990118 CET	49726	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.712132931 CET	49726	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:16.716993093 CET	80	49726	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:17.175723076 CET	80	49726	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:17.175760031 CET	80	49726	199.59.243.228	192.168.2.6
Jan 14, 2025 21:10:17.175834894 CET	49726	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:17.291542053 CET	49726	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:17.291579962 CET	49726	80	192.168.2.6	199.59.243.228
Jan 14, 2025 21:10:18.627693892 CET	49757	445	192.168.2.6	58.86.16.219
Jan 14, 2025 21:10:18.632581949 CET	445	49757	58.86.16.219	192.168.2.6
Jan 14, 2025 21:10:18.632663965 CET	49757	445	192.168.2.6	58.86.16.219
Jan 14, 2025 21:10:18.632709026 CET	49757	445	192.168.2.6	58.86.16.219
Jan 14, 2025 21:10:18.632906914 CET	49758	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.637625933 CET	445	49757	58.86.16.219	192.168.2.6
Jan 14, 2025 21:10:18.637779951 CET	445	49758	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:18.637861967 CET	49758	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.637911081 CET	49758	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.637917995 CET	49757	445	192.168.2.6	58.86.16.219
Jan 14, 2025 21:10:18.640872002 CET	49759	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.642767906 CET	445	49758	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:18.642819881 CET	49758	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.645701885 CET	445	49759	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:18.645761967 CET	49759	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.645808935 CET	49759	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:18.650542974 CET	445	49759	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:20.113890886 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.113939047 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:20.114104986 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.114918947 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.114932060 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:20.643229008 CET	49794	445	192.168.2.6	180.95.118.245
Jan 14, 2025 21:10:20.648176908 CET	445	49794	180.95.118.245	192.168.2.6
Jan 14, 2025 21:10:20.648287058 CET	49794	445	192.168.2.6	180.95.118.245
Jan 14, 2025 21:10:20.648354053 CET	49794	445	192.168.2.6	180.95.118.245
Jan 14, 2025 21:10:20.648545980 CET	49795	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.653287888 CET	445	49794	180.95.118.245	192.168.2.6
Jan 14, 2025 21:10:20.653322935 CET	445	49795	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:20.653340101 CET	49794	445	192.168.2.6	180.95.118.245
Jan 14, 2025 21:10:20.653394938 CET	49795	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.653460979 CET	49795	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.654541969 CET	49796	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.658345938 CET	445	49795	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:20.658416033 CET	49795	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.659404039 CET	445	49796	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:20.659481049 CET	49796	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.659532070 CET	49796	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:20.664407969 CET	445	49796	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:20.920588970 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:20.920732021 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.923995972 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.924005985 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:20.924264908 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:20.926326036 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.926326036 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.926345110 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:20.926485062 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:20.971323967 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:21.101259947 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:21.101480961 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:21.101687908 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:21.102189064 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:21.102210999 CET	443	49784	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:21.102230072 CET	49784	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:22.658771038 CET	49830	445	192.168.2.6	209.29.139.209
Jan 14, 2025 21:10:22.663875103 CET	445	49830	209.29.139.209	192.168.2.6
Jan 14, 2025 21:10:22.664011955 CET	49830	445	192.168.2.6	209.29.139.209
Jan 14, 2025 21:10:22.664134979 CET	49830	445	192.168.2.6	209.29.139.209
Jan 14, 2025 21:10:22.664145947 CET	49831	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:22.669337988 CET	445	49831	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:22.669353008 CET	445	49830	209.29.139.209	192.168.2.6
Jan 14, 2025 21:10:22.669495106 CET	49830	445	192.168.2.6	209.29.139.209
Jan 14, 2025 21:10:22.669555902 CET	49831	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:22.670605898 CET	49832	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:22.674577951 CET	445	49831	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:22.674679041 CET	49831	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:22.675453901 CET	445	49832	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:22.675616980 CET	49832	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:22.675616980 CET	49832	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:22.680512905 CET	445	49832	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:23.713956118 CET	445	49723	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:23.714086056 CET	49723	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:23.714135885 CET	49723	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:23.714202881 CET	49723	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:23.719068050 CET	445	49723	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:23.719099045 CET	445	49723	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:24.674207926 CET	49865	445	192.168.2.6	86.146.125.62
Jan 14, 2025 21:10:24.679135084 CET	445	49865	86.146.125.62	192.168.2.6
Jan 14, 2025 21:10:24.679224968 CET	49865	445	192.168.2.6	86.146.125.62
Jan 14, 2025 21:10:24.679250002 CET	49865	445	192.168.2.6	86.146.125.62
Jan 14, 2025 21:10:24.679425955 CET	49866	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.684389114 CET	445	49866	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:24.684422970 CET	445	49865	86.146.125.62	192.168.2.6
Jan 14, 2025 21:10:24.684484005 CET	49866	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.684528112 CET	49866	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.685244083 CET	445	49865	86.146.125.62	192.168.2.6
Jan 14, 2025 21:10:24.685300112 CET	49865	445	192.168.2.6	86.146.125.62
Jan 14, 2025 21:10:24.685709953 CET	49867	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.689457893 CET	445	49866	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:24.689572096 CET	49866	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.690603018 CET	445	49867	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:24.690669060 CET	49867	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.690718889 CET	49867	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:24.695508003 CET	445	49867	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:26.060374975 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:26.060436010 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:26.060831070 CET	49894	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:26.060884953 CET	443	49894	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:26.061064959 CET	49894	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:26.061321974 CET	49894	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:26.061341047 CET	443	49894	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:26.065263987 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:26.065277100 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:26.680849075 CET	443	49894	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:26.680929899 CET	49894	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:26.690186024 CET	49905	445	192.168.2.6	117.201.167.221
Jan 14, 2025 21:10:26.695075035 CET	445	49905	117.201.167.221	192.168.2.6
Jan 14, 2025 21:10:26.695210934 CET	49905	445	192.168.2.6	117.201.167.221
Jan 14, 2025 21:10:26.695246935 CET	49905	445	192.168.2.6	117.201.167.221
Jan 14, 2025 21:10:26.695493937 CET	49906	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.700397968 CET	445	49905	117.201.167.221	192.168.2.6
Jan 14, 2025 21:10:26.700414896 CET	445	49906	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:26.700486898 CET	49906	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.700503111 CET	445	49905	117.201.167.221	192.168.2.6
Jan 14, 2025 21:10:26.700525045 CET	49906	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.700551987 CET	49905	445	192.168.2.6	117.201.167.221
Jan 14, 2025 21:10:26.701497078 CET	49907	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.705806017 CET	445	49906	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:26.705866098 CET	49906	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.706387997 CET	445	49907	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:26.706685066 CET	49907	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.706873894 CET	49907	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:26.711636066 CET	445	49907	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:26.721271038 CET	49908	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:26.726280928 CET	445	49908	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:26.729538918 CET	49908	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:26.730767965 CET	49908	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:26.735655069 CET	445	49908	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:28.704745054 CET	49942	445	192.168.2.6	3.107.178.103
Jan 14, 2025 21:10:28.709661007 CET	445	49942	3.107.178.103	192.168.2.6
Jan 14, 2025 21:10:28.709737062 CET	49942	445	192.168.2.6	3.107.178.103
Jan 14, 2025 21:10:28.709777117 CET	49942	445	192.168.2.6	3.107.178.103
Jan 14, 2025 21:10:28.709898949 CET	49943	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.714711905 CET	445	49943	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:28.714773893 CET	49943	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.714843988 CET	445	49942	3.107.178.103	192.168.2.6
Jan 14, 2025 21:10:28.714844942 CET	49943	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.715055943 CET	49942	445	192.168.2.6	3.107.178.103
Jan 14, 2025 21:10:28.715136051 CET	49944	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.719780922 CET	445	49943	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:28.719831944 CET	49943	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.719933033 CET	445	49944	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:28.720012903 CET	49944	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.720048904 CET	49944	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:28.724797010 CET	445	49944	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:30.722793102 CET	49977	445	192.168.2.6	24.92.19.8
Jan 14, 2025 21:10:30.727642059 CET	445	49977	24.92.19.8	192.168.2.6
Jan 14, 2025 21:10:30.729541063 CET	49977	445	192.168.2.6	24.92.19.8
Jan 14, 2025 21:10:30.730196953 CET	49977	445	192.168.2.6	24.92.19.8
Jan 14, 2025 21:10:30.730359077 CET	49978	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.735065937 CET	445	49977	24.92.19.8	192.168.2.6
Jan 14, 2025 21:10:30.735140085 CET	49977	445	192.168.2.6	24.92.19.8
Jan 14, 2025 21:10:30.735223055 CET	445	49978	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:30.735285997 CET	49978	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.738053083 CET	49978	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.738431931 CET	49979	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.742945910 CET	445	49978	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:30.743309975 CET	445	49979	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:30.743386030 CET	49978	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.743415117 CET	49979	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.746014118 CET	49979	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:30.750881910 CET	445	49979	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:32.510736942 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:32.510766029 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:32.510829926 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:32.511471033 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:32.511480093 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:32.736288071 CET	50018	445	192.168.2.6	122.76.227.232
Jan 14, 2025 21:10:32.741112947 CET	445	50018	122.76.227.232	192.168.2.6
Jan 14, 2025 21:10:32.741183043 CET	50018	445	192.168.2.6	122.76.227.232
Jan 14, 2025 21:10:32.741224051 CET	50018	445	192.168.2.6	122.76.227.232
Jan 14, 2025 21:10:32.741417885 CET	50019	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.746275902 CET	445	50018	122.76.227.232	192.168.2.6
Jan 14, 2025 21:10:32.746314049 CET	445	50019	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:32.746340036 CET	50018	445	192.168.2.6	122.76.227.232
Jan 14, 2025 21:10:32.746396065 CET	50019	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.746468067 CET	50019	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.746737003 CET	50020	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.751461983 CET	445	50019	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:32.751584053 CET	445	50020	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:32.751643896 CET	50019	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.751666069 CET	50020	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.751688957 CET	50020	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:32.756604910 CET	445	50020	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:33.318038940 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.318218946 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.355243921 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.355262041 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.356069088 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.373734951 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.373734951 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.373752117 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.377363920 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.419327974 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.548222065 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.548363924 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.548696995 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.548717976 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.548737049 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:33.548743010 CET	443	50009	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:33.548896074 CET	50009	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:34.751801014 CET	50052	445	192.168.2.6	201.2.58.244
Jan 14, 2025 21:10:34.756661892 CET	445	50052	201.2.58.244	192.168.2.6
Jan 14, 2025 21:10:34.756740093 CET	50052	445	192.168.2.6	201.2.58.244
Jan 14, 2025 21:10:34.756773949 CET	50052	445	192.168.2.6	201.2.58.244
Jan 14, 2025 21:10:34.756987095 CET	50053	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.761766911 CET	445	50052	201.2.58.244	192.168.2.6
Jan 14, 2025 21:10:34.761825085 CET	50052	445	192.168.2.6	201.2.58.244
Jan 14, 2025 21:10:34.761879921 CET	445	50053	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:34.761955976 CET	50053	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.761955976 CET	50053	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.762206078 CET	50054	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.766983986 CET	445	50053	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:34.767019987 CET	445	50054	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:34.767052889 CET	50053	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.767087936 CET	50054	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.767119884 CET	50054	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:34.772002935 CET	445	50054	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:36.767765045 CET	50092	445	192.168.2.6	157.36.41.169
Jan 14, 2025 21:10:36.772556067 CET	445	50092	157.36.41.169	192.168.2.6
Jan 14, 2025 21:10:36.772682905 CET	50092	445	192.168.2.6	157.36.41.169
Jan 14, 2025 21:10:36.772722960 CET	50092	445	192.168.2.6	157.36.41.169
Jan 14, 2025 21:10:36.772850037 CET	50093	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.777628899 CET	445	50093	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:36.777705908 CET	50093	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.777728081 CET	50093	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.777749062 CET	445	50092	157.36.41.169	192.168.2.6
Jan 14, 2025 21:10:36.777800083 CET	50092	445	192.168.2.6	157.36.41.169
Jan 14, 2025 21:10:36.778091908 CET	50094	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.782676935 CET	445	50093	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:36.782737970 CET	50093	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.782972097 CET	445	50094	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:36.783042908 CET	50094	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.783087015 CET	50094	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:36.787946939 CET	445	50094	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:38.783221960 CET	50126	445	192.168.2.6	161.197.61.54
Jan 14, 2025 21:10:38.788052082 CET	445	50126	161.197.61.54	192.168.2.6
Jan 14, 2025 21:10:38.788157940 CET	50126	445	192.168.2.6	161.197.61.54
Jan 14, 2025 21:10:38.788239002 CET	50126	445	192.168.2.6	161.197.61.54
Jan 14, 2025 21:10:38.788362026 CET	50127	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.793092966 CET	445	50127	161.197.61.1	192.168.2.6
Jan 14, 2025 21:10:38.793190002 CET	50127	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.793220997 CET	50127	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.793240070 CET	445	50126	161.197.61.54	192.168.2.6
Jan 14, 2025 21:10:38.793288946 CET	50126	445	192.168.2.6	161.197.61.54
Jan 14, 2025 21:10:38.793540001 CET	50128	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.798248053 CET	445	50127	161.197.61.1	192.168.2.6
Jan 14, 2025 21:10:38.798325062 CET	50127	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.798413038 CET	445	50128	161.197.61.1	192.168.2.6
Jan 14, 2025 21:10:38.798485994 CET	50128	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.798707962 CET	50128	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:10:38.803442955 CET	445	50128	161.197.61.1	192.168.2.6
Jan 14, 2025 21:10:40.010818005 CET	445	49759	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:40.010891914 CET	49759	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:40.010962009 CET	49759	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:40.011015892 CET	49759	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:40.017158031 CET	445	49759	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:40.017168045 CET	445	49759	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:40.354726076 CET	445	49908	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:40.354785919 CET	49908	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:40.354859114 CET	49908	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:40.354918957 CET	49908	445	192.168.2.6	201.76.167.1
Jan 14, 2025 21:10:40.359605074 CET	445	49908	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:40.359714031 CET	445	49908	201.76.167.1	192.168.2.6
Jan 14, 2025 21:10:40.408359051 CET	50154	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.413187981 CET	445	50154	201.76.167.2	192.168.2.6
Jan 14, 2025 21:10:40.413256884 CET	50154	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.413360119 CET	50154	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.413835049 CET	50155	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.418699980 CET	445	50155	201.76.167.2	192.168.2.6
Jan 14, 2025 21:10:40.418764114 CET	50155	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.418797970 CET	50155	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.420311928 CET	445	50154	201.76.167.2	192.168.2.6
Jan 14, 2025 21:10:40.423532009 CET	445	50155	201.76.167.2	192.168.2.6
Jan 14, 2025 21:10:40.423693895 CET	445	50154	201.76.167.2	192.168.2.6
Jan 14, 2025 21:10:40.423738003 CET	50154	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:10:40.800133944 CET	50165	445	192.168.2.6	119.177.148.84
Jan 14, 2025 21:10:40.805186987 CET	445	50165	119.177.148.84	192.168.2.6
Jan 14, 2025 21:10:40.805416107 CET	50165	445	192.168.2.6	119.177.148.84
Jan 14, 2025 21:10:40.805417061 CET	50165	445	192.168.2.6	119.177.148.84
Jan 14, 2025 21:10:40.805645943 CET	50166	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.810658932 CET	445	50166	119.177.148.1	192.168.2.6
Jan 14, 2025 21:10:40.810847998 CET	50166	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.810847998 CET	50166	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.810945988 CET	445	50165	119.177.148.84	192.168.2.6
Jan 14, 2025 21:10:40.811013937 CET	50167	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.811153889 CET	50165	445	192.168.2.6	119.177.148.84
Jan 14, 2025 21:10:40.815912008 CET	445	50167	119.177.148.1	192.168.2.6
Jan 14, 2025 21:10:40.815984964 CET	50167	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.816030025 CET	50167	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.816076040 CET	445	50166	119.177.148.1	192.168.2.6
Jan 14, 2025 21:10:40.816152096 CET	50166	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:10:40.820981979 CET	445	50167	119.177.148.1	192.168.2.6
Jan 14, 2025 21:10:42.042092085 CET	445	49796	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:42.042208910 CET	49796	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:42.042299032 CET	49796	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:42.042332888 CET	49796	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:42.047193050 CET	445	49796	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:42.047209024 CET	445	49796	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:42.814558029 CET	50184	445	192.168.2.6	124.104.82.171
Jan 14, 2025 21:10:42.819758892 CET	445	50184	124.104.82.171	192.168.2.6
Jan 14, 2025 21:10:42.819845915 CET	50184	445	192.168.2.6	124.104.82.171
Jan 14, 2025 21:10:42.819890976 CET	50184	445	192.168.2.6	124.104.82.171
Jan 14, 2025 21:10:42.820075035 CET	50185	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.824964046 CET	445	50185	124.104.82.1	192.168.2.6
Jan 14, 2025 21:10:42.825046062 CET	50185	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.825063944 CET	445	50184	124.104.82.171	192.168.2.6
Jan 14, 2025 21:10:42.825067997 CET	50185	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.825119972 CET	50184	445	192.168.2.6	124.104.82.171
Jan 14, 2025 21:10:42.825433016 CET	50186	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.830055952 CET	445	50185	124.104.82.1	192.168.2.6
Jan 14, 2025 21:10:42.830116987 CET	50185	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.830306053 CET	445	50186	124.104.82.1	192.168.2.6
Jan 14, 2025 21:10:42.830365896 CET	50186	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.830403090 CET	50186	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:10:42.835228920 CET	445	50186	124.104.82.1	192.168.2.6
Jan 14, 2025 21:10:43.017400026 CET	50187	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:43.022331953 CET	445	50187	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:43.022418022 CET	50187	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:43.022501945 CET	50187	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:10:43.027256966 CET	445	50187	58.86.16.1	192.168.2.6
Jan 14, 2025 21:10:44.028295994 CET	445	49832	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:44.028959036 CET	49832	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:44.028959036 CET	49832	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:44.028959036 CET	49832	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:44.033839941 CET	445	49832	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:44.033854961 CET	445	49832	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:44.829843998 CET	50199	445	192.168.2.6	157.41.84.44
Jan 14, 2025 21:10:44.834625006 CET	445	50199	157.41.84.44	192.168.2.6
Jan 14, 2025 21:10:44.834695101 CET	50199	445	192.168.2.6	157.41.84.44
Jan 14, 2025 21:10:44.834722042 CET	50199	445	192.168.2.6	157.41.84.44
Jan 14, 2025 21:10:44.835021019 CET	50200	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.839855909 CET	445	50200	157.41.84.1	192.168.2.6
Jan 14, 2025 21:10:44.839993000 CET	50200	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.840044022 CET	50200	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.840260029 CET	445	50199	157.41.84.44	192.168.2.6
Jan 14, 2025 21:10:44.840493917 CET	445	50199	157.41.84.44	192.168.2.6
Jan 14, 2025 21:10:44.840543032 CET	50199	445	192.168.2.6	157.41.84.44
Jan 14, 2025 21:10:44.840617895 CET	50202	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.845216036 CET	445	50200	157.41.84.1	192.168.2.6
Jan 14, 2025 21:10:44.845370054 CET	50200	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.845489979 CET	445	50202	157.41.84.1	192.168.2.6
Jan 14, 2025 21:10:44.845748901 CET	50202	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.845748901 CET	50202	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:10:44.850544930 CET	445	50202	157.41.84.1	192.168.2.6
Jan 14, 2025 21:10:45.048652887 CET	50206	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:45.053673029 CET	445	50206	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:45.053853989 CET	50206	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:45.053853989 CET	50206	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:10:45.058752060 CET	445	50206	180.95.118.1	192.168.2.6
Jan 14, 2025 21:10:45.858990908 CET	443	49894	173.222.162.64	192.168.2.6
Jan 14, 2025 21:10:45.859045982 CET	49894	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:10:46.042248011 CET	445	49867	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:46.043092966 CET	49867	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:46.043212891 CET	49867	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:46.043212891 CET	49867	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:46.048146009 CET	445	49867	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:46.048160076 CET	445	49867	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:46.845859051 CET	50217	445	192.168.2.6	17.184.225.126
Jan 14, 2025 21:10:46.850656033 CET	445	50217	17.184.225.126	192.168.2.6
Jan 14, 2025 21:10:46.850765944 CET	50217	445	192.168.2.6	17.184.225.126
Jan 14, 2025 21:10:46.850805998 CET	50217	445	192.168.2.6	17.184.225.126
Jan 14, 2025 21:10:46.850959063 CET	50218	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.855756044 CET	445	50217	17.184.225.126	192.168.2.6
Jan 14, 2025 21:10:46.855771065 CET	445	50218	17.184.225.1	192.168.2.6
Jan 14, 2025 21:10:46.855837107 CET	50217	445	192.168.2.6	17.184.225.126
Jan 14, 2025 21:10:46.855876923 CET	50218	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.855940104 CET	50218	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.856290102 CET	50219	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.860944986 CET	445	50218	17.184.225.1	192.168.2.6
Jan 14, 2025 21:10:46.861051083 CET	50218	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.861138105 CET	445	50219	17.184.225.1	192.168.2.6
Jan 14, 2025 21:10:46.861212969 CET	50219	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.861258030 CET	50219	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:10:46.866337061 CET	445	50219	17.184.225.1	192.168.2.6
Jan 14, 2025 21:10:47.033030987 CET	50220	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:47.037825108 CET	445	50220	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:47.037955999 CET	50220	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:47.038043976 CET	50220	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:10:47.042812109 CET	445	50220	209.29.139.1	192.168.2.6
Jan 14, 2025 21:10:48.057771921 CET	445	49907	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:48.057848930 CET	49907	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:48.057909966 CET	49907	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:48.057987928 CET	49907	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:48.062625885 CET	445	49907	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:48.062736988 CET	445	49907	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:48.861429930 CET	50232	445	192.168.2.6	169.16.157.23
Jan 14, 2025 21:10:48.866261959 CET	445	50232	169.16.157.23	192.168.2.6
Jan 14, 2025 21:10:48.866348982 CET	50232	445	192.168.2.6	169.16.157.23
Jan 14, 2025 21:10:48.866393089 CET	50232	445	192.168.2.6	169.16.157.23
Jan 14, 2025 21:10:48.866549969 CET	50235	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.871424913 CET	445	50235	169.16.157.1	192.168.2.6
Jan 14, 2025 21:10:48.871582031 CET	50235	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.871582031 CET	50235	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.871701956 CET	445	50232	169.16.157.23	192.168.2.6
Jan 14, 2025 21:10:48.871843100 CET	50232	445	192.168.2.6	169.16.157.23
Jan 14, 2025 21:10:48.871959925 CET	50236	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.876547098 CET	445	50235	169.16.157.1	192.168.2.6
Jan 14, 2025 21:10:48.876611948 CET	50235	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.876744986 CET	445	50236	169.16.157.1	192.168.2.6
Jan 14, 2025 21:10:48.876808882 CET	50236	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.876847029 CET	50236	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:10:48.881679058 CET	445	50236	169.16.157.1	192.168.2.6
Jan 14, 2025 21:10:49.048599958 CET	50239	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:49.053627968 CET	445	50239	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:49.053749084 CET	50239	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:49.053795099 CET	50239	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:10:49.058579922 CET	445	50239	86.146.125.1	192.168.2.6
Jan 14, 2025 21:10:50.090172052 CET	445	49944	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:50.090435982 CET	49944	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:50.090435982 CET	49944	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:50.090436935 CET	49944	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:50.095410109 CET	445	49944	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:50.095422983 CET	445	49944	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:50.877346992 CET	50250	445	192.168.2.6	191.205.25.2
Jan 14, 2025 21:10:50.882713079 CET	445	50250	191.205.25.2	192.168.2.6
Jan 14, 2025 21:10:50.882874012 CET	50250	445	192.168.2.6	191.205.25.2
Jan 14, 2025 21:10:50.882874012 CET	50250	445	192.168.2.6	191.205.25.2
Jan 14, 2025 21:10:50.883116007 CET	50251	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.888117075 CET	445	50250	191.205.25.2	192.168.2.6
Jan 14, 2025 21:10:50.888164043 CET	445	50251	191.205.25.1	192.168.2.6
Jan 14, 2025 21:10:50.888245106 CET	50250	445	192.168.2.6	191.205.25.2
Jan 14, 2025 21:10:50.888323069 CET	50251	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.888488054 CET	50251	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.888950109 CET	50252	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.893415928 CET	445	50251	191.205.25.1	192.168.2.6
Jan 14, 2025 21:10:50.893515110 CET	50251	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.893836021 CET	445	50252	191.205.25.1	192.168.2.6
Jan 14, 2025 21:10:50.893915892 CET	50252	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.893939972 CET	50252	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:10:50.898811102 CET	445	50252	191.205.25.1	192.168.2.6
Jan 14, 2025 21:10:51.064081907 CET	50253	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:51.069041967 CET	445	50253	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:51.069148064 CET	50253	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:51.069269896 CET	50253	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:10:51.074057102 CET	445	50253	117.201.167.1	192.168.2.6
Jan 14, 2025 21:10:51.899110079 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:51.899148941 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:51.899229050 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:51.899836063 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:51.899849892 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.104841948 CET	445	49979	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:52.105700016 CET	49979	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:52.106487989 CET	49979	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:52.106522083 CET	49979	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:52.111394882 CET	445	49979	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:52.111426115 CET	445	49979	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:52.704615116 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.704684973 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.706573963 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.706584930 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.706855059 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.708762884 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.708820105 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.708826065 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.708967924 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.751847982 CET	50265	445	192.168.2.6	217.202.110.65
Jan 14, 2025 21:10:52.755325079 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.756745100 CET	445	50265	217.202.110.65	192.168.2.6
Jan 14, 2025 21:10:52.756823063 CET	50265	445	192.168.2.6	217.202.110.65
Jan 14, 2025 21:10:52.756860018 CET	50265	445	192.168.2.6	217.202.110.65
Jan 14, 2025 21:10:52.757103920 CET	50266	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.761842966 CET	445	50265	217.202.110.65	192.168.2.6
Jan 14, 2025 21:10:52.761905909 CET	50265	445	192.168.2.6	217.202.110.65
Jan 14, 2025 21:10:52.761975050 CET	445	50266	217.202.110.1	192.168.2.6
Jan 14, 2025 21:10:52.762053013 CET	50266	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.762126923 CET	50266	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.762496948 CET	50267	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.767036915 CET	445	50266	217.202.110.1	192.168.2.6
Jan 14, 2025 21:10:52.767093897 CET	50266	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.767292976 CET	445	50267	217.202.110.1	192.168.2.6
Jan 14, 2025 21:10:52.767395020 CET	50267	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.767416000 CET	50267	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:10:52.772377968 CET	445	50267	217.202.110.1	192.168.2.6
Jan 14, 2025 21:10:52.883261919 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.883490086 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.883557081 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.883785009 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:52.883797884 CET	443	50259	40.113.103.199	192.168.2.6
Jan 14, 2025 21:10:52.883810997 CET	50259	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:10:53.095283031 CET	50273	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:53.100166082 CET	445	50273	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:53.100265026 CET	50273	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:53.100306034 CET	50273	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:10:53.105055094 CET	445	50273	3.107.178.1	192.168.2.6
Jan 14, 2025 21:10:54.122632980 CET	445	50020	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:54.122700930 CET	50020	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:54.122742891 CET	50020	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:54.122790098 CET	50020	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:54.127568960 CET	445	50020	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:54.127587080 CET	445	50020	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:54.501677036 CET	50281	445	192.168.2.6	69.97.150.45
Jan 14, 2025 21:10:54.506575108 CET	445	50281	69.97.150.45	192.168.2.6
Jan 14, 2025 21:10:54.506650925 CET	50281	445	192.168.2.6	69.97.150.45
Jan 14, 2025 21:10:54.506726980 CET	50281	445	192.168.2.6	69.97.150.45
Jan 14, 2025 21:10:54.506875992 CET	50282	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.511615992 CET	445	50281	69.97.150.45	192.168.2.6
Jan 14, 2025 21:10:54.511653900 CET	445	50282	69.97.150.1	192.168.2.6
Jan 14, 2025 21:10:54.511666059 CET	50281	445	192.168.2.6	69.97.150.45
Jan 14, 2025 21:10:54.511717081 CET	50282	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.511778116 CET	50282	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.512032032 CET	50283	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.516630888 CET	445	50282	69.97.150.1	192.168.2.6
Jan 14, 2025 21:10:54.516679049 CET	50282	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.516864061 CET	445	50283	69.97.150.1	192.168.2.6
Jan 14, 2025 21:10:54.516999960 CET	50283	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.517081022 CET	50283	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:10:54.521859884 CET	445	50283	69.97.150.1	192.168.2.6
Jan 14, 2025 21:10:55.111023903 CET	50287	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:55.115895033 CET	445	50287	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:55.116014957 CET	50287	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:55.116211891 CET	50287	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:10:55.121015072 CET	445	50287	24.92.19.1	192.168.2.6
Jan 14, 2025 21:10:56.137974977 CET	445	50054	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:56.138127089 CET	50054	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:56.138221979 CET	50054	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:56.138221979 CET	50054	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:56.142430067 CET	50296	445	192.168.2.6	8.157.50.194
Jan 14, 2025 21:10:56.143121004 CET	445	50054	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:56.143152952 CET	445	50054	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:56.147444963 CET	445	50296	8.157.50.194	192.168.2.6
Jan 14, 2025 21:10:56.147556067 CET	50296	445	192.168.2.6	8.157.50.194
Jan 14, 2025 21:10:56.147556067 CET	50296	445	192.168.2.6	8.157.50.194
Jan 14, 2025 21:10:56.147690058 CET	50297	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.152618885 CET	445	50297	8.157.50.1	192.168.2.6
Jan 14, 2025 21:10:56.152651072 CET	445	50296	8.157.50.194	192.168.2.6
Jan 14, 2025 21:10:56.152684927 CET	50297	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.152767897 CET	50296	445	192.168.2.6	8.157.50.194
Jan 14, 2025 21:10:56.152827024 CET	50297	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.153090954 CET	50298	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.157773972 CET	445	50297	8.157.50.1	192.168.2.6
Jan 14, 2025 21:10:56.157840014 CET	50297	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.157975912 CET	445	50298	8.157.50.1	192.168.2.6
Jan 14, 2025 21:10:56.158044100 CET	50298	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.158083916 CET	50298	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:10:56.162902117 CET	445	50298	8.157.50.1	192.168.2.6
Jan 14, 2025 21:10:57.126756907 CET	50306	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:57.131721020 CET	445	50306	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:57.131831884 CET	50306	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:57.131872892 CET	50306	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:10:57.136691093 CET	445	50306	122.76.227.1	192.168.2.6
Jan 14, 2025 21:10:57.673790932 CET	50309	445	192.168.2.6	34.177.88.54
Jan 14, 2025 21:10:57.678625107 CET	445	50309	34.177.88.54	192.168.2.6
Jan 14, 2025 21:10:57.678677082 CET	50309	445	192.168.2.6	34.177.88.54
Jan 14, 2025 21:10:57.678750038 CET	50309	445	192.168.2.6	34.177.88.54
Jan 14, 2025 21:10:57.678896904 CET	50310	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.683594942 CET	445	50309	34.177.88.54	192.168.2.6
Jan 14, 2025 21:10:57.683670044 CET	50309	445	192.168.2.6	34.177.88.54
Jan 14, 2025 21:10:57.683677912 CET	445	50310	34.177.88.1	192.168.2.6
Jan 14, 2025 21:10:57.683727980 CET	50310	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.683804989 CET	50310	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.684134960 CET	50311	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.688647985 CET	445	50310	34.177.88.1	192.168.2.6
Jan 14, 2025 21:10:57.688710928 CET	50310	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.688922882 CET	445	50311	34.177.88.1	192.168.2.6
Jan 14, 2025 21:10:57.688975096 CET	50311	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.689008951 CET	50311	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:10:57.693737030 CET	445	50311	34.177.88.1	192.168.2.6
Jan 14, 2025 21:10:58.136357069 CET	445	50094	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:58.136501074 CET	50094	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:58.136555910 CET	50094	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:10:58.141437054 CET	445	50094	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:58.141468048 CET	445	50094	157.36.41.1	192.168.2.6
Jan 14, 2025 21:10:59.095840931 CET	50320	445	192.168.2.6	174.157.161.26
Jan 14, 2025 21:10:59.100790024 CET	445	50320	174.157.161.26	192.168.2.6
Jan 14, 2025 21:10:59.100930929 CET	50320	445	192.168.2.6	174.157.161.26
Jan 14, 2025 21:10:59.100970030 CET	50320	445	192.168.2.6	174.157.161.26
Jan 14, 2025 21:10:59.101100922 CET	50321	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.106064081 CET	445	50321	174.157.161.1	192.168.2.6
Jan 14, 2025 21:10:59.106197119 CET	50321	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.106235981 CET	50321	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.106271029 CET	445	50320	174.157.161.26	192.168.2.6
Jan 14, 2025 21:10:59.106328964 CET	50320	445	192.168.2.6	174.157.161.26
Jan 14, 2025 21:10:59.106542110 CET	50322	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.111486912 CET	445	50321	174.157.161.1	192.168.2.6
Jan 14, 2025 21:10:59.111538887 CET	445	50322	174.157.161.1	192.168.2.6
Jan 14, 2025 21:10:59.111596107 CET	50321	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.111639023 CET	50322	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.111681938 CET	50322	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:10:59.116569996 CET	445	50322	174.157.161.1	192.168.2.6
Jan 14, 2025 21:10:59.142338991 CET	50324	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:59.147279978 CET	445	50324	201.2.58.1	192.168.2.6
Jan 14, 2025 21:10:59.147447109 CET	50324	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:59.147495031 CET	50324	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:10:59.152340889 CET	445	50324	201.2.58.1	192.168.2.6
Jan 14, 2025 21:11:00.183242083 CET	445	50128	161.197.61.1	192.168.2.6
Jan 14, 2025 21:11:00.183716059 CET	50128	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:00.183978081 CET	50128	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:00.184073925 CET	50128	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:00.188750982 CET	445	50128	161.197.61.1	192.168.2.6
Jan 14, 2025 21:11:00.188844919 CET	445	50128	161.197.61.1	192.168.2.6
Jan 14, 2025 21:11:00.424030066 CET	50328	445	192.168.2.6	179.57.103.242
Jan 14, 2025 21:11:00.429065943 CET	445	50328	179.57.103.242	192.168.2.6
Jan 14, 2025 21:11:00.429130077 CET	50328	445	192.168.2.6	179.57.103.242
Jan 14, 2025 21:11:00.429162025 CET	50328	445	192.168.2.6	179.57.103.242
Jan 14, 2025 21:11:00.429335117 CET	50329	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.434119940 CET	445	50328	179.57.103.242	192.168.2.6
Jan 14, 2025 21:11:00.434166908 CET	445	50329	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:00.434170961 CET	50328	445	192.168.2.6	179.57.103.242
Jan 14, 2025 21:11:00.434214115 CET	50329	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.434278965 CET	50329	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.434766054 CET	50330	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.439179897 CET	445	50329	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:00.439239025 CET	50329	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.439543962 CET	445	50330	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:00.439610958 CET	50330	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.439637899 CET	50330	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:00.444395065 CET	445	50330	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:01.142280102 CET	50331	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:11:01.147250891 CET	445	50331	157.36.41.1	192.168.2.6
Jan 14, 2025 21:11:01.147362947 CET	50331	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:11:01.147382975 CET	50331	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:11:01.152195930 CET	445	50331	157.36.41.1	192.168.2.6
Jan 14, 2025 21:11:01.658456087 CET	50332	445	192.168.2.6	99.232.175.113
Jan 14, 2025 21:11:01.663542986 CET	445	50332	99.232.175.113	192.168.2.6
Jan 14, 2025 21:11:01.663644075 CET	50332	445	192.168.2.6	99.232.175.113
Jan 14, 2025 21:11:01.663680077 CET	50332	445	192.168.2.6	99.232.175.113
Jan 14, 2025 21:11:01.663764000 CET	50333	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.668735981 CET	445	50333	99.232.175.1	192.168.2.6
Jan 14, 2025 21:11:01.668919086 CET	50333	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.668919086 CET	50333	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.669325113 CET	50334	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.670841932 CET	445	50332	99.232.175.113	192.168.2.6
Jan 14, 2025 21:11:01.670907021 CET	50332	445	192.168.2.6	99.232.175.113
Jan 14, 2025 21:11:01.673885107 CET	445	50333	99.232.175.1	192.168.2.6
Jan 14, 2025 21:11:01.673942089 CET	50333	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.674180031 CET	445	50334	99.232.175.1	192.168.2.6
Jan 14, 2025 21:11:01.674237013 CET	50334	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.674295902 CET	50334	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:01.679075003 CET	445	50334	99.232.175.1	192.168.2.6
Jan 14, 2025 21:11:01.777046919 CET	445	50155	201.76.167.2	192.168.2.6
Jan 14, 2025 21:11:01.777188063 CET	50155	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:01.777246952 CET	50155	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:01.777288914 CET	50155	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:01.782061100 CET	445	50155	201.76.167.2	192.168.2.6
Jan 14, 2025 21:11:01.782073975 CET	445	50155	201.76.167.2	192.168.2.6
Jan 14, 2025 21:11:02.249850035 CET	445	50330	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:02.249898911 CET	445	50167	119.177.148.1	192.168.2.6
Jan 14, 2025 21:11:02.250036955 CET	50330	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:02.250144958 CET	50167	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:02.250144958 CET	50167	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:02.250211954 CET	50167	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:02.250216007 CET	50330	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:02.250288963 CET	50330	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:02.255165100 CET	445	50167	119.177.148.1	192.168.2.6
Jan 14, 2025 21:11:02.255196095 CET	445	50167	119.177.148.1	192.168.2.6
Jan 14, 2025 21:11:02.255223989 CET	445	50330	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:02.255251884 CET	445	50330	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:02.819565058 CET	50336	445	192.168.2.6	223.113.3.169
Jan 14, 2025 21:11:02.824610949 CET	445	50336	223.113.3.169	192.168.2.6
Jan 14, 2025 21:11:02.824759960 CET	50336	445	192.168.2.6	223.113.3.169
Jan 14, 2025 21:11:02.824851990 CET	50336	445	192.168.2.6	223.113.3.169
Jan 14, 2025 21:11:02.825011015 CET	50337	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.830055952 CET	445	50336	223.113.3.169	192.168.2.6
Jan 14, 2025 21:11:02.830081940 CET	445	50337	223.113.3.1	192.168.2.6
Jan 14, 2025 21:11:02.830143929 CET	50336	445	192.168.2.6	223.113.3.169
Jan 14, 2025 21:11:02.830177069 CET	50337	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.830276966 CET	50337	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.830889940 CET	50338	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.835206985 CET	445	50337	223.113.3.1	192.168.2.6
Jan 14, 2025 21:11:02.835285902 CET	50337	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.835736036 CET	445	50338	223.113.3.1	192.168.2.6
Jan 14, 2025 21:11:02.835817099 CET	50338	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.835848093 CET	50338	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:02.840688944 CET	445	50338	223.113.3.1	192.168.2.6
Jan 14, 2025 21:11:03.194598913 CET	50339	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:03.199717999 CET	445	50339	161.197.61.1	192.168.2.6
Jan 14, 2025 21:11:03.199841022 CET	50339	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:03.205420017 CET	50339	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:03.210297108 CET	445	50339	161.197.61.1	192.168.2.6
Jan 14, 2025 21:11:03.908169985 CET	50340	445	192.168.2.6	43.112.215.82
Jan 14, 2025 21:11:03.913254976 CET	445	50340	43.112.215.82	192.168.2.6
Jan 14, 2025 21:11:03.913366079 CET	50340	445	192.168.2.6	43.112.215.82
Jan 14, 2025 21:11:03.913428068 CET	50340	445	192.168.2.6	43.112.215.82
Jan 14, 2025 21:11:03.913568020 CET	50341	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.918493986 CET	445	50341	43.112.215.1	192.168.2.6
Jan 14, 2025 21:11:03.918525934 CET	445	50340	43.112.215.82	192.168.2.6
Jan 14, 2025 21:11:03.918622017 CET	50340	445	192.168.2.6	43.112.215.82
Jan 14, 2025 21:11:03.918684006 CET	50341	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.918684006 CET	50341	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.918956995 CET	50342	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.923769951 CET	445	50341	43.112.215.1	192.168.2.6
Jan 14, 2025 21:11:03.923825026 CET	445	50342	43.112.215.1	192.168.2.6
Jan 14, 2025 21:11:03.923897982 CET	50341	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.923950911 CET	50342	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.923950911 CET	50342	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:03.928755999 CET	445	50342	43.112.215.1	192.168.2.6
Jan 14, 2025 21:11:04.247169971 CET	445	50186	124.104.82.1	192.168.2.6
Jan 14, 2025 21:11:04.247333050 CET	50186	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:04.247395039 CET	50186	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:04.247417927 CET	50186	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:04.252192974 CET	445	50186	124.104.82.1	192.168.2.6
Jan 14, 2025 21:11:04.252208948 CET	445	50186	124.104.82.1	192.168.2.6
Jan 14, 2025 21:11:04.372376919 CET	445	50187	58.86.16.1	192.168.2.6
Jan 14, 2025 21:11:04.375684977 CET	50187	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:11:04.375803947 CET	50187	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:11:04.375803947 CET	50187	445	192.168.2.6	58.86.16.1
Jan 14, 2025 21:11:04.380706072 CET	445	50187	58.86.16.1	192.168.2.6
Jan 14, 2025 21:11:04.380728960 CET	445	50187	58.86.16.1	192.168.2.6
Jan 14, 2025 21:11:04.439337015 CET	50343	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.444247007 CET	445	50343	58.86.16.2	192.168.2.6
Jan 14, 2025 21:11:04.444489956 CET	50343	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.444525957 CET	50343	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.444869041 CET	50344	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.449482918 CET	445	50343	58.86.16.2	192.168.2.6
Jan 14, 2025 21:11:04.449538946 CET	50343	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.449681044 CET	445	50344	58.86.16.2	192.168.2.6
Jan 14, 2025 21:11:04.449733973 CET	50344	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.449754000 CET	50344	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:04.454535007 CET	445	50344	58.86.16.2	192.168.2.6
Jan 14, 2025 21:11:04.782929897 CET	50345	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:04.788003922 CET	445	50345	201.76.167.2	192.168.2.6
Jan 14, 2025 21:11:04.789279938 CET	50345	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:04.789470911 CET	50345	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:04.794472933 CET	445	50345	201.76.167.2	192.168.2.6
Jan 14, 2025 21:11:04.924056053 CET	50346	445	192.168.2.6	80.251.87.82
Jan 14, 2025 21:11:04.928989887 CET	445	50346	80.251.87.82	192.168.2.6
Jan 14, 2025 21:11:04.929174900 CET	50346	445	192.168.2.6	80.251.87.82
Jan 14, 2025 21:11:04.929174900 CET	50346	445	192.168.2.6	80.251.87.82
Jan 14, 2025 21:11:04.929394960 CET	50347	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.934218884 CET	445	50346	80.251.87.82	192.168.2.6
Jan 14, 2025 21:11:04.934266090 CET	445	50347	80.251.87.1	192.168.2.6
Jan 14, 2025 21:11:04.934340954 CET	50347	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.934462070 CET	50347	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.934526920 CET	50346	445	192.168.2.6	80.251.87.82
Jan 14, 2025 21:11:04.934802055 CET	50348	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.939400911 CET	445	50347	80.251.87.1	192.168.2.6
Jan 14, 2025 21:11:04.939462900 CET	50347	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.939732075 CET	445	50348	80.251.87.1	192.168.2.6
Jan 14, 2025 21:11:04.939795017 CET	50348	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.939829111 CET	50348	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:04.944618940 CET	445	50348	80.251.87.1	192.168.2.6
Jan 14, 2025 21:11:05.252556086 CET	50350	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:05.252572060 CET	50349	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:05.257653952 CET	445	50350	119.177.148.1	192.168.2.6
Jan 14, 2025 21:11:05.257702112 CET	445	50349	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:05.257766962 CET	50350	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:05.257807016 CET	50349	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:05.257837057 CET	50349	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:05.257839918 CET	50350	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:05.262684107 CET	445	50350	119.177.148.1	192.168.2.6
Jan 14, 2025 21:11:05.262871981 CET	445	50349	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:05.935332060 CET	50351	445	192.168.2.6	205.115.6.193
Jan 14, 2025 21:11:05.940376997 CET	445	50351	205.115.6.193	192.168.2.6
Jan 14, 2025 21:11:05.940541029 CET	50351	445	192.168.2.6	205.115.6.193
Jan 14, 2025 21:11:05.940541029 CET	50351	445	192.168.2.6	205.115.6.193
Jan 14, 2025 21:11:05.940701008 CET	50352	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.945559025 CET	445	50352	205.115.6.1	192.168.2.6
Jan 14, 2025 21:11:05.945630074 CET	50352	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.945657969 CET	50352	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.945763111 CET	445	50351	205.115.6.193	192.168.2.6
Jan 14, 2025 21:11:05.945825100 CET	50351	445	192.168.2.6	205.115.6.193
Jan 14, 2025 21:11:05.946069002 CET	50353	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.950720072 CET	445	50352	205.115.6.1	192.168.2.6
Jan 14, 2025 21:11:05.950777054 CET	50352	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.950879097 CET	445	50353	205.115.6.1	192.168.2.6
Jan 14, 2025 21:11:05.950934887 CET	50353	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.950967073 CET	50353	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:05.955821991 CET	445	50353	205.115.6.1	192.168.2.6
Jan 14, 2025 21:11:06.248270988 CET	445	50202	157.41.84.1	192.168.2.6
Jan 14, 2025 21:11:06.248452902 CET	50202	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:06.248610020 CET	50202	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:06.248666048 CET	50202	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:06.253510952 CET	445	50202	157.41.84.1	192.168.2.6
Jan 14, 2025 21:11:06.253546000 CET	445	50202	157.41.84.1	192.168.2.6
Jan 14, 2025 21:11:06.450900078 CET	445	50206	180.95.118.1	192.168.2.6
Jan 14, 2025 21:11:06.451112032 CET	50206	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:11:06.452178955 CET	50206	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:11:06.452246904 CET	50206	445	192.168.2.6	180.95.118.1
Jan 14, 2025 21:11:06.457011938 CET	445	50206	180.95.118.1	192.168.2.6
Jan 14, 2025 21:11:06.457046032 CET	445	50206	180.95.118.1	192.168.2.6
Jan 14, 2025 21:11:06.517257929 CET	50354	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.522488117 CET	445	50354	180.95.118.2	192.168.2.6
Jan 14, 2025 21:11:06.522562027 CET	50354	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.522593021 CET	50354	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.523030996 CET	50355	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.527714014 CET	445	50354	180.95.118.2	192.168.2.6
Jan 14, 2025 21:11:06.527771950 CET	50354	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.527947903 CET	445	50355	180.95.118.2	192.168.2.6
Jan 14, 2025 21:11:06.528048992 CET	50355	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.528048992 CET	50355	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:06.532885075 CET	445	50355	180.95.118.2	192.168.2.6
Jan 14, 2025 21:11:06.814605951 CET	50356	445	192.168.2.6	101.240.13.197
Jan 14, 2025 21:11:06.819519043 CET	445	50356	101.240.13.197	192.168.2.6
Jan 14, 2025 21:11:06.819617987 CET	50356	445	192.168.2.6	101.240.13.197
Jan 14, 2025 21:11:06.819715023 CET	50356	445	192.168.2.6	101.240.13.197
Jan 14, 2025 21:11:06.821326017 CET	50357	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.824807882 CET	445	50356	101.240.13.197	192.168.2.6
Jan 14, 2025 21:11:06.824898005 CET	50356	445	192.168.2.6	101.240.13.197
Jan 14, 2025 21:11:06.826194048 CET	445	50357	101.240.13.1	192.168.2.6
Jan 14, 2025 21:11:06.826361895 CET	50357	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.826361895 CET	50357	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.826674938 CET	50358	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.831302881 CET	445	50357	101.240.13.1	192.168.2.6
Jan 14, 2025 21:11:06.831476927 CET	50357	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.831541061 CET	445	50358	101.240.13.1	192.168.2.6
Jan 14, 2025 21:11:06.831614017 CET	50358	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.831650972 CET	50358	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:06.836529016 CET	445	50358	101.240.13.1	192.168.2.6
Jan 14, 2025 21:11:07.062690973 CET	445	50349	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:07.062851906 CET	50349	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:07.062927008 CET	50349	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:07.062995911 CET	50349	445	192.168.2.6	179.57.103.1
Jan 14, 2025 21:11:07.067749977 CET	445	50349	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:07.067790985 CET	445	50349	179.57.103.1	192.168.2.6
Jan 14, 2025 21:11:07.126718044 CET	50359	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.131666899 CET	445	50359	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:07.131763935 CET	50359	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.131890059 CET	50359	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.135335922 CET	50360	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.136826038 CET	445	50359	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:07.136890888 CET	50359	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.140151978 CET	445	50360	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:07.143338919 CET	50360	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.143340111 CET	50360	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:07.148261070 CET	445	50360	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:07.251928091 CET	50361	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:07.256819010 CET	445	50361	124.104.82.1	192.168.2.6
Jan 14, 2025 21:11:07.256944895 CET	50361	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:07.256968021 CET	50361	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:07.261817932 CET	445	50361	124.104.82.1	192.168.2.6
Jan 14, 2025 21:11:07.642582893 CET	50362	445	192.168.2.6	112.117.58.143
Jan 14, 2025 21:11:07.647722006 CET	445	50362	112.117.58.143	192.168.2.6
Jan 14, 2025 21:11:07.647845984 CET	50362	445	192.168.2.6	112.117.58.143
Jan 14, 2025 21:11:07.647895098 CET	50362	445	192.168.2.6	112.117.58.143
Jan 14, 2025 21:11:07.648400068 CET	50363	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.652970076 CET	445	50362	112.117.58.143	192.168.2.6
Jan 14, 2025 21:11:07.653038025 CET	50362	445	192.168.2.6	112.117.58.143
Jan 14, 2025 21:11:07.653302908 CET	445	50363	112.117.58.1	192.168.2.6
Jan 14, 2025 21:11:07.653664112 CET	50364	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.654191017 CET	50363	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.654191017 CET	50363	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.658601046 CET	445	50364	112.117.58.1	192.168.2.6
Jan 14, 2025 21:11:07.658685923 CET	50364	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.658710003 CET	50364	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.659178019 CET	445	50363	112.117.58.1	192.168.2.6
Jan 14, 2025 21:11:07.659260988 CET	50363	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:07.663582087 CET	445	50364	112.117.58.1	192.168.2.6
Jan 14, 2025 21:11:08.249938965 CET	445	50219	17.184.225.1	192.168.2.6
Jan 14, 2025 21:11:08.250130892 CET	50219	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:08.302443027 CET	50219	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:08.302443027 CET	50219	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:08.307710886 CET	445	50219	17.184.225.1	192.168.2.6
Jan 14, 2025 21:11:08.307756901 CET	445	50219	17.184.225.1	192.168.2.6
Jan 14, 2025 21:11:08.417208910 CET	50365	445	192.168.2.6	78.71.117.88
Jan 14, 2025 21:11:08.422358990 CET	445	50365	78.71.117.88	192.168.2.6
Jan 14, 2025 21:11:08.422442913 CET	50365	445	192.168.2.6	78.71.117.88
Jan 14, 2025 21:11:08.425249100 CET	50365	445	192.168.2.6	78.71.117.88
Jan 14, 2025 21:11:08.425504923 CET	50366	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.430185080 CET	445	50365	78.71.117.88	192.168.2.6
Jan 14, 2025 21:11:08.430247068 CET	50365	445	192.168.2.6	78.71.117.88
Jan 14, 2025 21:11:08.430670977 CET	445	50366	78.71.117.1	192.168.2.6
Jan 14, 2025 21:11:08.430841923 CET	50366	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.433526039 CET	50366	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.437881947 CET	50367	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.439682961 CET	445	50366	78.71.117.1	192.168.2.6
Jan 14, 2025 21:11:08.439780951 CET	50366	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.442861080 CET	445	50367	78.71.117.1	192.168.2.6
Jan 14, 2025 21:11:08.442928076 CET	50367	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.445903063 CET	50367	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:08.450776100 CET	445	50367	78.71.117.1	192.168.2.6
Jan 14, 2025 21:11:08.455298901 CET	445	50220	209.29.139.1	192.168.2.6
Jan 14, 2025 21:11:08.455380917 CET	50220	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:11:08.458317995 CET	50220	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:11:08.458475113 CET	50220	445	192.168.2.6	209.29.139.1
Jan 14, 2025 21:11:08.463392973 CET	445	50220	209.29.139.1	192.168.2.6
Jan 14, 2025 21:11:08.463423967 CET	445	50220	209.29.139.1	192.168.2.6
Jan 14, 2025 21:11:08.527470112 CET	50368	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.532701015 CET	445	50368	209.29.139.2	192.168.2.6
Jan 14, 2025 21:11:08.532799006 CET	50368	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.533291101 CET	50368	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.538224936 CET	445	50368	209.29.139.2	192.168.2.6
Jan 14, 2025 21:11:08.538315058 CET	50368	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.538789034 CET	50369	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.543649912 CET	445	50369	209.29.139.2	192.168.2.6
Jan 14, 2025 21:11:08.543714046 CET	50369	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.546386957 CET	50369	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:08.551242113 CET	445	50369	209.29.139.2	192.168.2.6
Jan 14, 2025 21:11:08.975024939 CET	445	50360	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:08.975173950 CET	50360	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:08.975212097 CET	50360	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:08.975245953 CET	50360	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:08.980904102 CET	445	50360	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:08.980935097 CET	445	50360	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:09.251590014 CET	50371	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:09.256772041 CET	445	50371	157.41.84.1	192.168.2.6
Jan 14, 2025 21:11:09.256876945 CET	50371	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:09.256941080 CET	50371	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:09.261863947 CET	445	50371	157.41.84.1	192.168.2.6
Jan 14, 2025 21:11:10.263484001 CET	445	50236	169.16.157.1	192.168.2.6
Jan 14, 2025 21:11:10.263585091 CET	50236	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:10.263643026 CET	50236	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:10.263643026 CET	50236	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:10.268501043 CET	445	50236	169.16.157.1	192.168.2.6
Jan 14, 2025 21:11:10.268598080 CET	445	50236	169.16.157.1	192.168.2.6
Jan 14, 2025 21:11:10.437859058 CET	445	50239	86.146.125.1	192.168.2.6
Jan 14, 2025 21:11:10.438123941 CET	50239	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:11:10.438195944 CET	50239	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:11:10.438195944 CET	50239	445	192.168.2.6	86.146.125.1
Jan 14, 2025 21:11:10.443115950 CET	445	50239	86.146.125.1	192.168.2.6
Jan 14, 2025 21:11:10.443149090 CET	445	50239	86.146.125.1	192.168.2.6
Jan 14, 2025 21:11:10.501705885 CET	50375	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.507206917 CET	445	50375	86.146.125.2	192.168.2.6
Jan 14, 2025 21:11:10.507308960 CET	50375	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.507328987 CET	50375	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.507546902 CET	50376	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.512506008 CET	445	50375	86.146.125.2	192.168.2.6
Jan 14, 2025 21:11:10.512691975 CET	445	50376	86.146.125.2	192.168.2.6
Jan 14, 2025 21:11:10.512722015 CET	445	50375	86.146.125.2	192.168.2.6
Jan 14, 2025 21:11:10.512751102 CET	50376	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.512768984 CET	50375	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.512809038 CET	50376	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:10.517787933 CET	445	50376	86.146.125.2	192.168.2.6
Jan 14, 2025 21:11:11.314146996 CET	50379	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:11.319542885 CET	445	50379	17.184.225.1	192.168.2.6
Jan 14, 2025 21:11:11.319696903 CET	50379	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:11.319722891 CET	50379	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:11.324613094 CET	445	50379	17.184.225.1	192.168.2.6
Jan 14, 2025 21:11:11.986006021 CET	50383	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:11.991410017 CET	445	50383	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:11.991604090 CET	50383	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:11.991640091 CET	50383	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:11.996531963 CET	445	50383	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:12.293966055 CET	445	50252	191.205.25.1	192.168.2.6
Jan 14, 2025 21:11:12.294182062 CET	50252	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:12.294224977 CET	50252	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:12.294275999 CET	50252	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:12.299186945 CET	445	50252	191.205.25.1	192.168.2.6
Jan 14, 2025 21:11:12.299220085 CET	445	50252	191.205.25.1	192.168.2.6
Jan 14, 2025 21:11:12.437517881 CET	445	50253	117.201.167.1	192.168.2.6
Jan 14, 2025 21:11:12.437848091 CET	50253	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:11:12.437973022 CET	50253	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:11:12.438041925 CET	50253	445	192.168.2.6	117.201.167.1
Jan 14, 2025 21:11:12.442790985 CET	445	50253	117.201.167.1	192.168.2.6
Jan 14, 2025 21:11:12.442850113 CET	445	50253	117.201.167.1	192.168.2.6
Jan 14, 2025 21:11:12.501760960 CET	50388	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:12.507041931 CET	445	50388	117.201.167.2	192.168.2.6
Jan 14, 2025 21:11:12.507128954 CET	50388	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:12.507143974 CET	50388	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:12.507467031 CET	50389	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:12.512388945 CET	445	50389	117.201.167.2	192.168.2.6
Jan 14, 2025 21:11:12.512476921 CET	50389	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:12.512518883 CET	50389	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:12.516309977 CET	445	50388	117.201.167.2	192.168.2.6
Jan 14, 2025 21:11:12.517353058 CET	445	50389	117.201.167.2	192.168.2.6
Jan 14, 2025 21:11:12.534326077 CET	445	50388	117.201.167.2	192.168.2.6
Jan 14, 2025 21:11:12.534441948 CET	50388	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:13.267369032 CET	50397	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:13.272689104 CET	445	50397	169.16.157.1	192.168.2.6
Jan 14, 2025 21:11:13.272804022 CET	50397	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:13.272831917 CET	50397	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:13.277723074 CET	445	50397	169.16.157.1	192.168.2.6
Jan 14, 2025 21:11:13.858581066 CET	445	50383	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:13.858747005 CET	50383	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:13.858819008 CET	50383	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:13.858859062 CET	50383	445	192.168.2.6	179.57.103.2
Jan 14, 2025 21:11:13.863756895 CET	445	50383	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:13.863790035 CET	445	50383	179.57.103.2	192.168.2.6
Jan 14, 2025 21:11:13.923583984 CET	50404	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.928735971 CET	445	50404	179.57.103.3	192.168.2.6
Jan 14, 2025 21:11:13.928890944 CET	50404	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.928936958 CET	50404	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.929294109 CET	50405	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.934179068 CET	445	50405	179.57.103.3	192.168.2.6
Jan 14, 2025 21:11:13.934283972 CET	50405	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.934324980 CET	445	50404	179.57.103.3	192.168.2.6
Jan 14, 2025 21:11:13.934341908 CET	50405	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.934389114 CET	50404	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:13.939172029 CET	445	50405	179.57.103.3	192.168.2.6
Jan 14, 2025 21:11:14.140642881 CET	445	50267	217.202.110.1	192.168.2.6
Jan 14, 2025 21:11:14.140716076 CET	50267	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:14.140754938 CET	50267	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:14.140796900 CET	50267	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:14.145714045 CET	445	50267	217.202.110.1	192.168.2.6
Jan 14, 2025 21:11:14.145745993 CET	445	50267	217.202.110.1	192.168.2.6
Jan 14, 2025 21:11:14.467886925 CET	445	50273	3.107.178.1	192.168.2.6
Jan 14, 2025 21:11:14.468132973 CET	50273	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:11:14.468336105 CET	50273	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:11:14.468437910 CET	50273	445	192.168.2.6	3.107.178.1
Jan 14, 2025 21:11:14.473153114 CET	445	50273	3.107.178.1	192.168.2.6
Jan 14, 2025 21:11:14.473272085 CET	445	50273	3.107.178.1	192.168.2.6
Jan 14, 2025 21:11:14.532838106 CET	50413	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.538042068 CET	445	50413	3.107.178.2	192.168.2.6
Jan 14, 2025 21:11:14.538124084 CET	50413	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.538151026 CET	50413	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.538489103 CET	50414	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.543471098 CET	445	50414	3.107.178.2	192.168.2.6
Jan 14, 2025 21:11:14.543576956 CET	50414	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.543576956 CET	50414	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.543615103 CET	445	50413	3.107.178.2	192.168.2.6
Jan 14, 2025 21:11:14.543672085 CET	50413	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:14.548504114 CET	445	50414	3.107.178.2	192.168.2.6
Jan 14, 2025 21:11:15.298499107 CET	50424	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:15.303796053 CET	445	50424	191.205.25.1	192.168.2.6
Jan 14, 2025 21:11:15.303920984 CET	50424	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:15.304184914 CET	50424	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:15.309189081 CET	445	50424	191.205.25.1	192.168.2.6
Jan 14, 2025 21:11:15.892468929 CET	445	50283	69.97.150.1	192.168.2.6
Jan 14, 2025 21:11:15.892534018 CET	50283	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:15.892577887 CET	50283	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:15.892611980 CET	50283	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:15.897535086 CET	445	50283	69.97.150.1	192.168.2.6
Jan 14, 2025 21:11:15.897572041 CET	445	50283	69.97.150.1	192.168.2.6
Jan 14, 2025 21:11:16.481342077 CET	445	50287	24.92.19.1	192.168.2.6
Jan 14, 2025 21:11:16.481616020 CET	50287	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:11:16.481705904 CET	50287	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:11:16.481705904 CET	50287	445	192.168.2.6	24.92.19.1
Jan 14, 2025 21:11:16.486707926 CET	445	50287	24.92.19.1	192.168.2.6
Jan 14, 2025 21:11:16.486742020 CET	445	50287	24.92.19.1	192.168.2.6
Jan 14, 2025 21:11:16.533067942 CET	50446	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:16.538306952 CET	445	50446	24.92.19.2	192.168.2.6
Jan 14, 2025 21:11:16.538429976 CET	50446	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:16.538533926 CET	50446	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:16.538940907 CET	50447	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:16.543507099 CET	445	50446	24.92.19.2	192.168.2.6
Jan 14, 2025 21:11:16.543625116 CET	50446	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:16.543807030 CET	445	50447	24.92.19.2	192.168.2.6
Jan 14, 2025 21:11:16.543950081 CET	50447	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:16.548799038 CET	445	50447	24.92.19.2	192.168.2.6
Jan 14, 2025 21:11:17.142431021 CET	50463	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:17.147541046 CET	445	50463	217.202.110.1	192.168.2.6
Jan 14, 2025 21:11:17.147664070 CET	50463	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:17.147690058 CET	50463	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:17.152569056 CET	445	50463	217.202.110.1	192.168.2.6
Jan 14, 2025 21:11:17.500448942 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:17.500485897 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:17.500554085 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:17.501101971 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:17.501116991 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:17.528033972 CET	445	50298	8.157.50.1	192.168.2.6
Jan 14, 2025 21:11:17.528167009 CET	50298	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:11:17.528167009 CET	50298	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:11:17.528167009 CET	50298	445	192.168.2.6	8.157.50.1
Jan 14, 2025 21:11:17.533634901 CET	445	50298	8.157.50.1	192.168.2.6
Jan 14, 2025 21:11:17.533679008 CET	445	50298	8.157.50.1	192.168.2.6
Jan 14, 2025 21:11:18.311117887 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.311358929 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.313024044 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.313038111 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.313390017 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.315260887 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.315321922 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.315327883 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.315431118 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.359333038 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.495102882 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.495214939 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.495273113 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.495393991 CET	50470	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:18.495414972 CET	443	50470	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:18.511133909 CET	445	50306	122.76.227.1	192.168.2.6
Jan 14, 2025 21:11:18.511298895 CET	50306	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:11:18.511300087 CET	50306	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:11:18.511425018 CET	50306	445	192.168.2.6	122.76.227.1
Jan 14, 2025 21:11:18.516336918 CET	445	50306	122.76.227.1	192.168.2.6
Jan 14, 2025 21:11:18.516366959 CET	445	50306	122.76.227.1	192.168.2.6
Jan 14, 2025 21:11:18.564400911 CET	50506	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.569576025 CET	445	50506	122.76.227.2	192.168.2.6
Jan 14, 2025 21:11:18.569711924 CET	50506	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.570075989 CET	50506	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.570116997 CET	50507	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.575086117 CET	445	50506	122.76.227.2	192.168.2.6
Jan 14, 2025 21:11:18.575119972 CET	445	50507	122.76.227.2	192.168.2.6
Jan 14, 2025 21:11:18.575175047 CET	50506	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.575342894 CET	50507	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.575342894 CET	50507	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:18.580245972 CET	445	50507	122.76.227.2	192.168.2.6
Jan 14, 2025 21:11:18.908068895 CET	50524	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:18.913341999 CET	445	50524	69.97.150.1	192.168.2.6
Jan 14, 2025 21:11:18.913613081 CET	50524	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:18.913614035 CET	50524	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:18.918593884 CET	445	50524	69.97.150.1	192.168.2.6
Jan 14, 2025 21:11:19.062684059 CET	445	50311	34.177.88.1	192.168.2.6
Jan 14, 2025 21:11:19.062908888 CET	50311	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:11:19.062908888 CET	50311	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:11:19.062908888 CET	50311	445	192.168.2.6	34.177.88.1
Jan 14, 2025 21:11:19.068130970 CET	445	50311	34.177.88.1	192.168.2.6
Jan 14, 2025 21:11:19.068145037 CET	445	50311	34.177.88.1	192.168.2.6
Jan 14, 2025 21:11:20.480562925 CET	445	50322	174.157.161.1	192.168.2.6
Jan 14, 2025 21:11:20.480639935 CET	50322	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:11:20.511735916 CET	445	50324	201.2.58.1	192.168.2.6
Jan 14, 2025 21:11:20.511787891 CET	50324	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:11:21.580456018 CET	50414	445	192.168.2.6	3.107.178.2
Jan 14, 2025 21:11:21.580482006 CET	50345	445	192.168.2.6	201.76.167.2
Jan 14, 2025 21:11:21.580518961 CET	50331	445	192.168.2.6	157.36.41.1
Jan 14, 2025 21:11:21.580526114 CET	50376	445	192.168.2.6	86.146.125.2
Jan 14, 2025 21:11:21.580526114 CET	50344	445	192.168.2.6	58.86.16.2
Jan 14, 2025 21:11:21.580554008 CET	50369	445	192.168.2.6	209.29.139.2
Jan 14, 2025 21:11:21.580600977 CET	50355	445	192.168.2.6	180.95.118.2
Jan 14, 2025 21:11:21.580693960 CET	50322	445	192.168.2.6	174.157.161.1
Jan 14, 2025 21:11:21.580728054 CET	50324	445	192.168.2.6	201.2.58.1
Jan 14, 2025 21:11:21.580740929 CET	50334	445	192.168.2.6	99.232.175.1
Jan 14, 2025 21:11:21.580797911 CET	50339	445	192.168.2.6	161.197.61.1
Jan 14, 2025 21:11:21.580816984 CET	50338	445	192.168.2.6	223.113.3.1
Jan 14, 2025 21:11:21.580859900 CET	50348	445	192.168.2.6	80.251.87.1
Jan 14, 2025 21:11:21.580878973 CET	50350	445	192.168.2.6	119.177.148.1
Jan 14, 2025 21:11:21.580883980 CET	50342	445	192.168.2.6	43.112.215.1
Jan 14, 2025 21:11:21.580900908 CET	50353	445	192.168.2.6	205.115.6.1
Jan 14, 2025 21:11:21.580919027 CET	50358	445	192.168.2.6	101.240.13.1
Jan 14, 2025 21:11:21.580943108 CET	50447	445	192.168.2.6	24.92.19.2
Jan 14, 2025 21:11:21.580970049 CET	50371	445	192.168.2.6	157.41.84.1
Jan 14, 2025 21:11:21.580988884 CET	50361	445	192.168.2.6	124.104.82.1
Jan 14, 2025 21:11:21.581015110 CET	50364	445	192.168.2.6	112.117.58.1
Jan 14, 2025 21:11:21.581037998 CET	50367	445	192.168.2.6	78.71.117.1
Jan 14, 2025 21:11:21.581067085 CET	50379	445	192.168.2.6	17.184.225.1
Jan 14, 2025 21:11:21.581091881 CET	50389	445	192.168.2.6	117.201.167.2
Jan 14, 2025 21:11:21.581113100 CET	50424	445	192.168.2.6	191.205.25.1
Jan 14, 2025 21:11:21.581140041 CET	50397	445	192.168.2.6	169.16.157.1
Jan 14, 2025 21:11:21.581214905 CET	50405	445	192.168.2.6	179.57.103.3
Jan 14, 2025 21:11:21.581331015 CET	50463	445	192.168.2.6	217.202.110.1
Jan 14, 2025 21:11:21.581413031 CET	50524	445	192.168.2.6	69.97.150.1
Jan 14, 2025 21:11:21.582387924 CET	50507	445	192.168.2.6	122.76.227.2
Jan 14, 2025 21:11:44.783003092 CET	49703	443	192.168.2.6	20.190.159.71
Jan 14, 2025 21:11:44.789629936 CET	443	49703	20.190.159.71	192.168.2.6
Jan 14, 2025 21:11:44.789679050 CET	49703	443	192.168.2.6	20.190.159.71
Jan 14, 2025 21:11:44.978192091 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:44.978250027 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:44.978312969 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:44.978897095 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:44.978909969 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:45.794219017 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:45.794431925 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:45.796361923 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:45.796370029 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:45.797127962 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:45.799036026 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:45.799102068 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:45.799117088 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:45.799242973 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:45.843341112 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:46.005743980 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:46.005846024 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:46.005884886 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:46.006059885 CET	50631	443	192.168.2.6	40.113.103.199
Jan 14, 2025 21:11:46.006072998 CET	443	50631	40.113.103.199	192.168.2.6
Jan 14, 2025 21:11:47.126945019 CET	49707	443	192.168.2.6	20.190.159.71
Jan 14, 2025 21:11:47.131988049 CET	443	49707	20.190.159.71	192.168.2.6
Jan 14, 2025 21:11:47.132044077 CET	49707	443	192.168.2.6	20.190.159.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:10:13.623857021 CET	51254	53	192.168.2.6	1.1.1.1
Jan 14, 2025 21:10:13.927288055 CET	53	51254	1.1.1.1	192.168.2.6
Jan 14, 2025 21:10:14.570199013 CET	52032	53	192.168.2.6	1.1.1.1
Jan 14, 2025 21:10:14.751977921 CET	53	52032	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 21:10:13.623857021 CET	192.168.2.6	1.1.1.1	0xd34c	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:10:14.570199013 CET	192.168.2.6	1.1.1.1	0x7afc	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 21:10:13.927288055 CET	1.1.1.1	192.168.2.6	0xd34c	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:10:14.751977921 CET	1.1.1.1	192.168.2.6	0x7afc	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 21:10:14.751977921 CET	1.1.1.1	192.168.2.6	0x7afc	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	103.224.212.215	80	6772	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:13.948256016 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:10:14.541198969 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:10:14 GMT server: Apache set-cookie: __tad=1736885414.2680868; expires=Fri, 12-Jan-2035 20:10:14 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-142d-9b39-6bada5abe8f0 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	199.59.243.228	80	6772	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:14.764482021 CET	169	OUT	GET /?subid1=20250115-0710-142d-9b39-6bada5abe8f0 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:10:15.217813015 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:10:14 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 1540a814-dc09-4b25-9fe0-996b538985e8 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Gcm+JAgOLyhoxC8H19werlO4BvzaAuNvmFQUsGqCVtg8Y6eETjEfW7/fJrT8QbFqK8namPIAdBF6TfnSAJChrQ== set-cookie: parking_session=1540a814-dc09-4b25-9fe0-996b538985e8; expires=Tue, 14 Jan 2025 20:25:15 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 47 63 6d 2b 4a 41 67 4f 4c 79 68 6f 78 43 38 48 31 39 77 65 72 6c 4f 34 42 76 7a 61 41 75 4e 76 6d 46 51 55 73 47 71 43 56 74 67 38 59 36 65 45 54 6a 45 66 57 37 2f 66 4a 72 54 38 51 62 46 71 4b 38 6e 61 6d 50 49 41 64 42 46 36 54 66 6e 53 41 4a 43 68 72 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Gcm+JAgOLyhoxC8H19werlO4BvzaAuNvmFQUsGqCVtg8Y6eETjEfW7/fJrT8QbFqK8namPIAdBF6TfnSAJChrQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:10:15.217858076 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTU0MGE4MTQtZGMwOS00YjI1LTlmZTAtOTk2YjUzODk4NWU4IiwicGFnZV90aW1lIjoxNzM2ODg1NDE1LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49713	103.224.212.215	80	2052	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:15.442264080 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:10:16.045011997 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:10:15 GMT server: Apache set-cookie: __tad=1736885415.4477357; expires=Fri, 12-Jan-2035 20:10:15 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49714	199.59.243.228	80	2052	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:16.076160908 CET	169	OUT	GET /?subid1=20250115-0710-15b5-ac8d-d0af4adebdd4 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:10:16.562834024 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:10:15 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 9636b5f5-f873-43d2-ad33-9c38fe3fa6f6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MML3QP3LOoWlhit77csZrW5GreKm9QoeKDWgJdUDf5aOvv4/uHph7SwcGmTGJLA6elm1M9M/f8grVdATxoqX8w== set-cookie: parking_session=9636b5f5-f873-43d2-ad33-9c38fe3fa6f6; expires=Tue, 14 Jan 2025 20:25:16 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 4d 4c 33 51 50 33 4c 4f 6f 57 6c 68 69 74 37 37 63 73 5a 72 57 35 47 72 65 4b 6d 39 51 6f 65 4b 44 57 67 4a 64 55 44 66 35 61 4f 76 76 34 2f 75 48 70 68 37 53 77 63 47 6d 54 47 4a 4c 41 36 65 6c 6d 31 4d 39 4d 2f 66 38 67 72 56 64 41 54 78 6f 71 58 38 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MML3QP3LOoWlhit77csZrW5GreKm9QoeKDWgJdUDf5aOvv4/uHph7SwcGmTGJLA6elm1M9M/f8grVdATxoqX8w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:10:16.562855959 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTYzNmI1ZjUtZjg3My00M2QyLWFkMzMtOWMzOGZlM2ZhNmY2IiwicGFnZV90aW1lIjoxNzM2ODg1NDE2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49715	103.224.212.215	80	6060	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:16.081079006 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736885414.2680868
Jan 14, 2025 21:10:16.702507019 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:10:16 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0710-16e0-bd1a-f1b048c043c7 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49726	199.59.243.228	80	6060	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:16.712132931 CET	231	OUT	GET /?subid1=20250115-0710-16e0-bd1a-f1b048c043c7 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=1540a814-dc09-4b25-9fe0-996b538985e8
Jan 14, 2025 21:10:17.175723076 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:10:16 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 699cc23a-8b69-4ca0-9ebf-da51de6942e3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Aj4t7mB8pQAuEQ01Z8GlRPW+NgLra9YbXvgyIgKU1QdR1pAS4GawlkCdGFksk78oSo/LpSYQF0qTRzyTB/cgTQ== set-cookie: parking_session=1540a814-dc09-4b25-9fe0-996b538985e8; expires=Tue, 14 Jan 2025 20:25:17 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6a 34 74 37 6d 42 38 70 51 41 75 45 51 30 31 5a 38 47 6c 52 50 57 2b 4e 67 4c 72 61 39 59 62 58 76 67 79 49 67 4b 55 31 51 64 52 31 70 41 53 34 47 61 77 6c 6b 43 64 47 46 6b 73 6b 37 38 6f 53 6f 2f 4c 70 53 59 51 46 30 71 54 52 7a 79 54 42 2f 63 67 54 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Aj4t7mB8pQAuEQ01Z8GlRPW+NgLra9YbXvgyIgKU1QdR1pAS4GawlkCdGFksk78oSo/LpSYQF0qTRzyTB/cgTQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 21:10:17.175760031 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTU0MGE4MTQtZGMwOS00YjI1LTlmZTAtOTk2YjUzODk4NWU4IiwicGFnZV90aW1lIjoxNzM2ODg1NDE3LCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:10:12 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 2f 61 71 78 36 6e 43 73 39 45 2b 53 56 67 64 54 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 66 30 61 33 62 39 64 32 39 33 65 36 36 34 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: /aqx6nCs9E+SVgdT.1Context: af0a3b9d293e664c
2025-01-14 20:10:12 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:10:12 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 2f 61 71 78 36 6e 43 73 39 45 2b 53 56 67 64 54 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 66 30 61 33 62 39 64 32 39 33 65 36 36 34 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: /aqx6nCs9E+SVgdT.2Context: af0a3b9d293e664c<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-14 20:10:12 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 2f 61 71 78 36 6e 43 73 39 45 2b 53 56 67 64 54 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 66 30 61 33 62 39 64 32 39 33 65 36 36 34 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: /aqx6nCs9E+SVgdT.3Context: af0a3b9d293e664c<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:10:12 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:10:12 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 54 5a 4d 68 70 41 63 7a 62 30 53 57 46 59 57 66 73 58 47 6c 6f 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: TZMhpAczb0SWFYWfsXGlow.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49784	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:10:20 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4b 72 2f 35 58 38 46 69 71 45 53 37 58 30 33 4d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 32 61 38 31 31 36 32 39 32 36 36 32 61 30 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Kr/5X8FiqES7X03M.1Context: c2a8116292662a0b
2025-01-14 20:10:20 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:10:20 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4b 72 2f 35 58 38 46 69 71 45 53 37 58 30 33 4d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 32 61 38 31 31 36 32 39 32 36 36 32 61 30 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Kr/5X8FiqES7X03M.2Context: c2a8116292662a0b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-14 20:10:20 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 72 2f 35 58 38 46 69 71 45 53 37 58 30 33 4d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 32 61 38 31 31 36 32 39 32 36 36 32 61 30 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Kr/5X8FiqES7X03M.3Context: c2a8116292662a0b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:10:21 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:10:21 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 5a 6e 6d 78 78 70 59 75 46 6b 43 76 4e 43 2b 4d 54 4a 6d 4e 41 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ZnmxxpYuFkCvNC+MTJmNAA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	50009	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:10:33 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 46 4d 56 4c 33 6a 65 58 42 45 43 38 71 6b 67 67 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 62 30 30 36 62 61 36 36 64 32 34 38 62 30 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: FMVL3jeXBEC8qkgg.1Context: ab006ba66d248b03
2025-01-14 20:10:33 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:10:33 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 46 4d 56 4c 33 6a 65 58 42 45 43 38 71 6b 67 67 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 62 30 30 36 62 61 36 36 64 32 34 38 62 30 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: FMVL3jeXBEC8qkgg.2Context: ab006ba66d248b03<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-14 20:10:33 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 46 4d 56 4c 33 6a 65 58 42 45 43 38 71 6b 67 67 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 62 30 30 36 62 61 36 36 64 32 34 38 62 30 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: FMVL3jeXBEC8qkgg.3Context: ab006ba66d248b03<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:10:33 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:10:33 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 34 37 6d 74 48 34 42 73 45 4f 6a 52 4f 54 70 61 43 30 7a 47 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: f47mtH4BsEOjROTpaC0zGQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50259	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:10:52 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4d 77 52 35 45 79 45 35 42 55 75 39 36 68 6d 67 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 39 34 39 30 65 65 30 36 35 35 36 62 37 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: MwR5EyE5BUu96hmg.1Context: c19490ee06556b75
2025-01-14 20:10:52 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:10:52 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4d 77 52 35 45 79 45 35 42 55 75 39 36 68 6d 67 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 39 34 39 30 65 65 30 36 35 35 36 62 37 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: MwR5EyE5BUu96hmg.2Context: c19490ee06556b75<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-14 20:10:52 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4d 77 52 35 45 79 45 35 42 55 75 39 36 68 6d 67 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 39 34 39 30 65 65 30 36 35 35 36 62 37 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: MwR5EyE5BUu96hmg.3Context: c19490ee06556b75<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:10:52 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:10:52 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 59 30 4f 73 52 64 34 6f 2f 6b 57 58 67 58 56 39 59 45 56 54 61 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Y0OsRd4o/kWXgXV9YEVTag.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50470	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:11:18 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 31 56 45 66 41 31 77 76 4f 6b 79 6a 2b 42 59 4f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 30 36 39 37 30 36 38 31 31 34 33 65 30 35 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 1VEfA1wvOkyj+BYO.1Context: d06970681143e05e
2025-01-14 20:11:18 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:11:18 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 31 56 45 66 41 31 77 76 4f 6b 79 6a 2b 42 59 4f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 30 36 39 37 30 36 38 31 31 34 33 65 30 35 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 1VEfA1wvOkyj+BYO.2Context: d06970681143e05e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-14 20:11:18 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 31 56 45 66 41 31 77 76 4f 6b 79 6a 2b 42 59 4f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 30 36 39 37 30 36 38 31 31 34 33 65 30 35 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 1VEfA1wvOkyj+BYO.3Context: d06970681143e05e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:11:18 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:11:18 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 4c 39 4d 30 34 66 55 7a 6b 4f 49 4e 32 45 71 73 68 74 51 4f 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: fL9M04fUzkOIN2EqshtQOA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50631	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:11:45 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 59 41 46 68 32 7a 30 53 53 30 2b 55 7a 55 36 62 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 66 31 65 39 66 35 62 64 66 33 65 37 33 33 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: YAFh2z0SS0+UzU6b.1Context: 2f1e9f5bdf3e7336
2025-01-14 20:11:45 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:11:45 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 59 41 46 68 32 7a 30 53 53 30 2b 55 7a 55 36 62 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 66 31 65 39 66 35 62 64 66 33 65 37 33 33 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: YAFh2z0SS0+UzU6b.2Context: 2f1e9f5bdf3e7336<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-14 20:11:45 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 59 41 46 68 32 7a 30 53 53 30 2b 55 7a 55 36 62 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 66 31 65 39 66 35 62 64 66 33 65 37 33 33 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: YAFh2z0SS0+UzU6b.3Context: 2f1e9f5bdf3e7336<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:11:45 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:11:45 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 76 32 74 55 34 39 62 4d 5a 55 4f 53 39 76 4c 6e 4d 58 41 58 69 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: v2tU49bMZUOS9vLnMXAXig.0Payload parsing failed.

Target ID:	0
Start time:	15:10:12
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll"
Imagebase:	0xca0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:10:12
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:10:12
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:10:12
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\m9oUIFauYl.dll,PlayGame
Imagebase:	0xd00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:10:12
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",#1
Imagebase:	0xd00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:10:12
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	1AA4152354EE92FDB2C8E1F11381A8E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2166045761.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2166194262.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:10:14
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	1AA4152354EE92FDB2C8E1F11381A8E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2188213919.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2188355159.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2838123149.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2838357581.0000000002287000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:10:15
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\m9oUIFauYl.dll",PlayGame
Imagebase:	0xd00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:10:15
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	1AA4152354EE92FDB2C8E1F11381A8E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2194580978.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2194747129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2209893875.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.2210111513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3
CreateFileA, xrefs: 00407D0F
WriteFile, xrefs: 00407D1C
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000006.00000002.2202101856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2202074214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202129080.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202239373.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2202101856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2202074214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202129080.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202239373.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2202101856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2202074214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202129080.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202239373.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2202101856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2202074214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202129080.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202239373.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2202101856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2202074214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202129080.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202171061.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202239373.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2202332421.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 2052, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2836911392.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2836895995.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836928266.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837002846.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837018578.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2836911392.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2836895995.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836928266.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837002846.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837018578.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000008.00000002.2836911392.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2836895995.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836928266.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837002846.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837018578.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
/i, xrefs: 00407E8D
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateFileA, xrefs: 00407D0F
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000008.00000002.2836911392.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2836895995.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836928266.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837002846.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837018578.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2836911392.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2836895995.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836928266.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836945707.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2836987681.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837002846.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837018578.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2837131495.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report m9oUIFauYl.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
m9oUIFauYl.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON