Edit tour

Windows Analysis Report
eIZi481eP6.dll

Overview

General Information

Sample name:	eIZi481eP6.dll renamed because original name is a hash value
Original sample name:	7d7bf2240e76f419611094080e31948b.dll
Analysis ID:	1591284
MD5:	7d7bf2240e76f419611094080e31948b
SHA1:	471955bc47b05691cb6e4d745b08ca6f5de3d335
SHA256:	9b1ba31dfc982db0bad465668a06e241534ddb379d4ee3cf33946b29cddd994c
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7948 cmdline: loaddll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8000 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 8024 cmdline: rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8008 cmdline: rundll32.exe C:\Users\user\Desktop\eIZi481eP6.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 8088 cmdline: C:\WINDOWS\mssecsvr.exe MD5: E5CFF35706AB7BDAFA5F00F6FAD7058D)

rundll32.exe (PID: 7260 cmdline: rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7336 cmdline: C:\WINDOWS\mssecsvr.exe MD5: E5CFF35706AB7BDAFA5F00F6FAD7058D)

mssecsvr.exe (PID: 7188 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: E5CFF35706AB7BDAFA5F00F6FAD7058D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eIZi481eP6.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
eIZi481eP6.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
eIZi481eP6.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\mssecsvr.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvr.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\mssecsvr.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvr.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvr.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1417194747.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1400887390.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1374634946.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.1403754476.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 8088	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7188	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7336	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.22718c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4d084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.1d7f128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d7f128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.1d7f128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d7f128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.1d5c104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5c104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.1d5c104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d5c104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.2280948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2280948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.2280948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2280948.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22718c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22718c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.22718c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d4d084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d4d084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4d084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.22a396c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22a396c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.22a396c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22a396c.6.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.1d7f128.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d7f128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.1d7f128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d7f128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.22a396c.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22a396c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.22a396c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22a396c.6.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.2280948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2280948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.2280948.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5c104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5c104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x50c9d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.1d5c104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.227c8e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.227c8e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.227c8e8.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d580a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d580a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.1d580a4.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 117 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:11:36.688859+0100	2803304	3	Unknown Traffic	192.168.2.9	49750	103.224.212.215	80	TCP
2025-01-14T21:11:38.632358+0100	2803304	3	Unknown Traffic	192.168.2.9	49763	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:11:35.762015+0100	2830018	1	A Network Trojan was detected	192.168.2.9	63423	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: eIZi481eP6.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985dd	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051bd	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879f0	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\mssecsvr.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\Windows\mssecsvr.exe

ReversingLabs: Detection: 96%

Multi AV Scanner detection for submitted file

Source: eIZi481eP6.dll	Virustotal: Detection: 93%			Perma Link
Source: eIZi481eP6.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\mssecsvr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: eIZi481eP6.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: eIZi481eP6.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49959 version: TLS 1.0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.9:63423 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0711-3621-b2b0-8d3080c051bd HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885496.8445919
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0711-38c6-8000-741dcdd985dd HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0711-3814-92f5-579ab78879f0 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=7ae06bd6-da66-45e5-bf42-511b3c3bec92

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49763 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49750 -> 103.224.212.215:80

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49959 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.18
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.18
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.18
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.18
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 174.249.30.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.14
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.14
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.14
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.14
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.146.240.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.70
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.70
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.70
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.70
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.206.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 153.157.148.172
Source: unknown	TCP traffic detected without corresponding DNS query: 153.157.148.172
Source: unknown	TCP traffic detected without corresponding DNS query: 153.157.148.172
Source: unknown	TCP traffic detected without corresponding DNS query: 153.157.148.1
Source: unknown	TCP traffic detected without corresponding DNS query: 153.157.148.1
Source: unknown	TCP traffic detected without corresponding DNS query: 153.157.148.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0711-3621-b2b0-8d3080c051bd HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885496.8445919
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0711-38c6-8000-741dcdd985dd HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0711-3814-92f5-579ab78879f0 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=7ae06bd6-da66-45e5-bf42-511b3c3bec92

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1416685771.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051
Source: mssecsvr.exe, 0000000A.00000002.1417650449.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879
Source: mssecsvr.exe, 00000008.00000002.2052889581.000000000097B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985
Source: mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e
Source: mssecsvr.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1416685771.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&
Source: mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com//
Source: mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/F6
Source: mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/U
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/_
Source: mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/u
Source: mssecsvr.exe, 00000008.00000002.2052430296.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comM
Source: mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgs
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comm6
Source: mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comw

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: eIZi481eP6.dll, type: SAMPLE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22718c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d4d084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2280948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5c104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.227c8e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d580a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1417194747.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1400887390.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1374634946.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1403754476.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\mssecsvr.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: eIZi481eP6.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: eIZi481eP6.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22718c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4d084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22718c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22718c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d4d084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4d084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.2280948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2280948.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5c104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5c104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.227c8e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.227c8e8.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d580a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d580a4.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: mssecsvr.exe.4.dr

Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: eIZi481eP6.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: eIZi481eP6.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: eIZi481eP6.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22718c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4d084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7f128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2280948.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22718c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22718c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d4d084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4d084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a396c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7f128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a396c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.2280948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2280948.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5c104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5c104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvr.exe.227c8e8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.227c8e8.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d580a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d580a4.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: eIZi481eP6.dll, mssecsvr.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03

Source: eIZi481eP6.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\eIZi481eP6.dll,PlayGame

Source: eIZi481eP6.dll	Virustotal: Detection: 93%
Source: eIZi481eP6.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\eIZi481eP6.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\eIZi481eP6.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: eIZi481eP6.dll

Static file information: File size 5267459 > 1048576

Source: eIZi481eP6.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\mssecsvr.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\mssecsvr.exe

Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe TID: 7572	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7572	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7576	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7576	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7572	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpr
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1415718996.000000000099C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2052889581.000000000099C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: mssecsvr.exe, 00000006.00000002.1416685771.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8c
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eIZi481eP6.dll	93%	Virustotal		Browse
eIZi481eP6.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
eIZi481eP6.dll	100%	Avira	TR/Ransom.Gen
eIZi481eP6.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvr.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvr.exe	100%	Joe Sandbox ML
C:\Windows\mssecsvr.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comM	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comw	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985dd	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051bd	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgs	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comm6	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879f0	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051bd	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985dd	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879f0	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com//	mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879	mssecsvr.exe, 0000000A.00000002.1417650449.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comw	mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&	mssecsvr.exe, 00000006.00000002.1416685771.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1417650449.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.1416685771.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051	mssecsvr.exe, 00000006.00000002.1416685771.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1416685771.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mssecsvr.exe.4.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comM	mssecsvr.exe, 00000006.00000002.1416685771.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/_	mssecsvr.exe, 00000006.00000002.1416685771.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985	mssecsvr.exe, 00000008.00000002.2052889581.000000000097B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2052430296.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgs	mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comm6	mssecsvr.exe, 00000006.00000002.1416685771.0000000000B40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/U	mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/u	mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2	mssecsvr.exe, 00000008.00000002.2052889581.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/F6	mssecsvr.exe, 00000006.00000002.1416685771.0000000000B40000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
14.83.224.2	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
14.83.224.1	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
2.65.247.1	unknown	Sweden	44034	HI3GSE	false
126.247.214.152	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
153.157.148.2	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
153.157.148.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
183.48.5.237	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
168.102.177.1	unknown	United States	6461	ZAYO-6461US	false
165.95.110.177	unknown	United States	1970	TAMUS-NETUS	false
187.16.168.99	unknown	Brazil	28256	HPEAUTOMOTORESDOBRASILLTDABR	false
58.51.75.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
174.249.30.18	unknown	United States	22394	CELLCOUS	false
1.153.139.2	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
1.153.139.1	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
145.91.202.42	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
159.61.241.64	unknown	United States	2386	INS-ASUS	false
182.119.252.121	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
11.220.125.22	unknown	United States	3356	LEVEL3US	false
180.146.240.14	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
160.141.203.86	unknown	United States	5972	DNIC-ASBLK-05800-06055US	false
7.224.74.160	unknown	United States	3356	LEVEL3US	false
126.147.175.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
7.224.74.1	unknown	United States	3356	LEVEL3US	false
153.157.148.172	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591284
Start date and time:	2025-01-14 21:10:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eIZi481eP6.dll renamed because original name is a hash value
Original Sample Name:	7d7bf2240e76f419611094080e31948b.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.17.190.73, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:11:36	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:12:12	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	logitix.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	EFT_Payment_Notification_Gheenirrigation.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	MissedCall_Record_3295935663.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	62.122.184.98 (2).ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	87.247.158.212.ps1	Get hash	malicious	LummaC	Browse	13.107.246.45
77026.bodis.com	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	103.224.212.215
	lJt3mQqCQl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HI3GSE	res.x86.elf	Get hash	malicious	Unknown	Browse	109.56.192.10
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	109.58.82.107
	armv7l.elf	Get hash	malicious	Unknown	Browse	2.68.124.6
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	37.250.34.164
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	109.56.155.56
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	37.250.34.175
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	95.209.80.190
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	37.250.167.225
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	2.67.189.204
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	2.67.3.204
KIXS-AS-KRKoreaTelecomKR	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	14.33.85.1
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	222.117.242.2
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	14.86.25.59
	meth3.elf	Get hash	malicious	Mirai	Browse	125.141.76.130
	meth8.elf	Get hash	malicious	Mirai	Browse	125.145.182.80
	meth1.elf	Get hash	malicious	Mirai	Browse	175.219.152.134
	arm4.elf	Get hash	malicious	Unknown	Browse	168.126.237.244
	ppc.elf	Get hash	malicious	Unknown	Browse	49.62.1.8
	i686.elf	Get hash	malicious	Unknown	Browse	218.148.15.61
	x86.elf	Get hash	malicious	Unknown	Browse	222.100.31.30
GIGAINFRASoftbankBBCorpJP	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	126.245.156.111
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	126.245.102.34
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	219.174.245.132
	meth10.elf	Get hash	malicious	Mirai	Browse	60.132.41.97
	meth3.elf	Get hash	malicious	Mirai	Browse	219.40.50.142
	meth8.elf	Get hash	malicious	Mirai	Browse	219.206.176.119
	arm4.elf	Get hash	malicious	Unknown	Browse	60.131.121.59
	ppc.elf	Get hash	malicious	Unknown	Browse	126.220.122.94
	m68k.elf	Get hash	malicious	Unknown	Browse	220.24.86.106
	i686.elf	Get hash	malicious	Unknown	Browse	221.64.220.35
KIXS-AS-KRKoreaTelecomKR	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	14.33.85.1
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	222.117.242.2
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	14.86.25.59
	meth3.elf	Get hash	malicious	Mirai	Browse	125.141.76.130
	meth8.elf	Get hash	malicious	Mirai	Browse	125.145.182.80
	meth1.elf	Get hash	malicious	Mirai	Browse	175.219.152.134
	arm4.elf	Get hash	malicious	Unknown	Browse	168.126.237.244
	ppc.elf	Get hash	malicious	Unknown	Browse	49.62.1.8
	i686.elf	Get hash	malicious	Unknown	Browse	218.148.15.61
	x86.elf	Get hash	malicious	Unknown	Browse	222.100.31.30

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	23.206.229.209
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	23.206.229.209
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	23.206.229.209
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	23.206.229.209
	http://titanys.mindsetmatters.buzz	Get hash	malicious	ScreenConnect Tool	Browse	23.206.229.209
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	23.206.229.209
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.206.229.209
	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	23.206.229.209
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209

Process:	C:\Windows\mssecsvr.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3911323435152685
Encrypted:	false
SSDEEP:	6144:al4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN1xOBSqa:K4vF0MYQUMM6VFYLxU
MD5:	1C55E74CE95C9E47B02924B91EF7535B
SHA1:	A3C6FC671DE3ECA4EA685827B0463FAB9E6022F8
SHA-256:	C5E471BDCFF9E55146967F12000263258083297C98FEE31FD5C08EB553FA62E8
SHA-512:	9B96F8BD6A641D5808A4C0987414319B3CFBC584522CC3CB12AE7FF6150E9FB8B0B3A58E617762477F0AF713A7F01F00A4E8C833BD2F8A2E14A57DB0E9408894
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Jw..f................................................................................................................................................................................................................................................................................................................................................`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvr.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2281472
Entropy (8bit):	6.764218931936953
Encrypted:	false
SSDEEP:	49152:VnFQqMSPbcBVQej/L+TSqTdX1HkQ6Rdhnvn:ZeqPoBhzLcSUDk7dhvn
MD5:	E5CFF35706AB7BDAFA5F00F6FAD7058D
SHA1:	A6756E9DB3524A9C9E43F6D7EC5864D7FD5D4EDD
SHA-256:	F031E5EB924B34B12C60E89ECA094091271F3481236FFB94C4E97215364F3D7D
SHA-512:	29721639BD0377430B747AB8913749BAAFF8B8C425B136FDB86876A30583EFE540B1459AFD45152E00D95FA90E0D07AAD91DD34A70D601989261934AC98AF6A3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvr.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L......................"...................@...........................P......................................................1..z...........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.........1...... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.4836688678200654
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eIZi481eP6.dll
File size:	5'267'459 bytes
MD5:	7d7bf2240e76f419611094080e31948b
SHA1:	471955bc47b05691cb6e4d745b08ca6f5de3d335
SHA256:	9b1ba31dfc982db0bad465668a06e241534ddb379d4ee3cf33946b29cddd994c
SHA512:	e9c69c12b5ee003c5cdb67cfa14595e1438c19f7fed316cc009e8d6d6267781887042a059bcc2425770c8a9e3264f85725172c9b34870abb5bff7b82f01d07de
SSDEEP:	49152:MnFQqMSPbcBVQej/L+TSqTdX1HkQ6Rdhnv:seqPoBhzLcSUDk7dhv
TLSH:	53362319717CD2FCC60926B464678A2792B33C6626FE560F8F408B661C13B15FBA8B47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FF32C862F8Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FF32C862FA8h
cmp esi, 01h
je 00007FF32C862F87h
cmp esi, 02h
jne 00007FF32C862FA4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FF32C862F8Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FF32C862F8Eh
push edi
push esi
push ebx
call 00007FF32C862E9Ah
test eax, eax
jne 00007FF32C862F86h
xor eax, eax
jmp 00007FF32C862FD0h
push edi
push esi
push ebx
call 00007FF32C862D4Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FF32C862F8Eh
test eax, eax
jne 00007FF32C862FB9h
push edi
push eax
push ebx
call 00007FF32C862E76h
test esi, esi
je 00007FF32C862F87h
cmp esi, 03h
jne 00007FF32C862FA8h
push edi
push esi
push ebx
call 00007FF32C862E65h
test eax, eax
jne 00007FF32C862F85h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FF32C862F93h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FF32C862F8Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	82044d1d00f81dbb3ce9371781516e7f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770942687988281

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T21:11:35.762015+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.9	63423	1.1.1.1	53	UDP
2025-01-14T21:11:36.688859+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49750	103.224.212.215	80	TCP
2025-01-14T21:11:38.632358+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49763	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:11:27.571202040 CET	49676	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:27.573601961 CET	49675	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:27.696180105 CET	49674	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:29.086805105 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:11:33.899280071 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:11:35.102381945 CET	49673	443	192.168.2.9	204.79.197.203
Jan 14, 2025 21:11:36.070642948 CET	49750	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:36.075500965 CET	80	49750	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:36.075596094 CET	49750	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:36.076215029 CET	49750	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:36.080972910 CET	80	49750	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:36.688776016 CET	80	49750	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:36.688858986 CET	49750	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:36.689058065 CET	80	49750	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:36.689125061 CET	49750	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:36.693301916 CET	49750	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:36.698190928 CET	80	49750	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:37.180499077 CET	49676	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:37.180519104 CET	49675	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:37.181010962 CET	49759	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:37.185837030 CET	80	49759	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:37.185911894 CET	49759	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:37.186114073 CET	49759	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:37.190876961 CET	80	49759	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:37.305502892 CET	49674	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:37.679440975 CET	80	49759	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:37.679467916 CET	80	49759	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:37.679526091 CET	49759	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:37.685441017 CET	49759	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:37.685493946 CET	49759	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:37.970024109 CET	49763	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:37.974904060 CET	80	49763	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:37.974977970 CET	49763	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:37.975275040 CET	49763	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:37.980071068 CET	80	49763	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.185477018 CET	49767	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.190238953 CET	80	49767	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.190308094 CET	49767	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.190596104 CET	49767	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.195388079 CET	80	49767	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.632237911 CET	80	49763	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.632358074 CET	49763	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.635220051 CET	80	49763	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.635286093 CET	49763	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.663374901 CET	49763	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.668210983 CET	80	49763	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.680965900 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:38.685902119 CET	80	49770	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:38.685975075 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:38.705323935 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:38.710462093 CET	80	49770	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:38.798507929 CET	80	49767	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.798583984 CET	49767	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.798595905 CET	80	49767	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.798652887 CET	49767	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.815490961 CET	49767	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:11:38.816876888 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:38.820579052 CET	80	49767	103.224.212.215	192.168.2.9
Jan 14, 2025 21:11:38.821804047 CET	80	49772	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:38.825649023 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:38.828464031 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:38.833388090 CET	80	49772	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:39.084530115 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 21:11:39.085836887 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:39.162502050 CET	80	49770	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:39.162554979 CET	80	49770	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:39.162583113 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.162653923 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.168864965 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.168896914 CET	49770	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.205631018 CET	49776	445	192.168.2.9	174.249.30.18
Jan 14, 2025 21:11:39.210727930 CET	445	49776	174.249.30.18	192.168.2.9
Jan 14, 2025 21:11:39.210799932 CET	49776	445	192.168.2.9	174.249.30.18
Jan 14, 2025 21:11:39.210871935 CET	49776	445	192.168.2.9	174.249.30.18
Jan 14, 2025 21:11:39.212968111 CET	49777	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.215890884 CET	445	49776	174.249.30.18	192.168.2.9
Jan 14, 2025 21:11:39.216079950 CET	49776	445	192.168.2.9	174.249.30.18
Jan 14, 2025 21:11:39.217885971 CET	445	49777	174.249.30.1	192.168.2.9
Jan 14, 2025 21:11:39.217977047 CET	49777	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.219058037 CET	49777	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.222820044 CET	49778	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.223992109 CET	445	49777	174.249.30.1	192.168.2.9
Jan 14, 2025 21:11:39.224054098 CET	49777	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.227746964 CET	445	49778	174.249.30.1	192.168.2.9
Jan 14, 2025 21:11:39.227946043 CET	49778	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.227946043 CET	49778	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:11:39.232810974 CET	445	49778	174.249.30.1	192.168.2.9
Jan 14, 2025 21:11:39.310545921 CET	80	49772	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:39.310574055 CET	80	49772	199.59.243.228	192.168.2.9
Jan 14, 2025 21:11:39.310614109 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.310667038 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.325267076 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:39.325314045 CET	49772	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:11:41.215493917 CET	49813	445	192.168.2.9	180.146.240.14
Jan 14, 2025 21:11:41.220352888 CET	445	49813	180.146.240.14	192.168.2.9
Jan 14, 2025 21:11:41.220427990 CET	49813	445	192.168.2.9	180.146.240.14
Jan 14, 2025 21:11:41.220452070 CET	49813	445	192.168.2.9	180.146.240.14
Jan 14, 2025 21:11:41.221389055 CET	49814	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:41.226253986 CET	445	49813	180.146.240.14	192.168.2.9
Jan 14, 2025 21:11:41.226289034 CET	445	49814	180.146.240.1	192.168.2.9
Jan 14, 2025 21:11:41.226311922 CET	49813	445	192.168.2.9	180.146.240.14
Jan 14, 2025 21:11:41.226347923 CET	49814	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:41.226428986 CET	49814	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:41.228110075 CET	49815	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:41.232315063 CET	445	49814	180.146.240.1	192.168.2.9
Jan 14, 2025 21:11:41.232956886 CET	445	49815	180.146.240.1	192.168.2.9
Jan 14, 2025 21:11:41.233068943 CET	49815	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:41.233068943 CET	49815	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:41.237981081 CET	445	49815	180.146.240.1	192.168.2.9
Jan 14, 2025 21:11:41.254093885 CET	445	49814	180.146.240.1	192.168.2.9
Jan 14, 2025 21:11:41.254163980 CET	49814	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:11:43.229053020 CET	49852	445	192.168.2.9	189.221.206.70
Jan 14, 2025 21:11:43.236458063 CET	445	49852	189.221.206.70	192.168.2.9
Jan 14, 2025 21:11:43.236536026 CET	49852	445	192.168.2.9	189.221.206.70
Jan 14, 2025 21:11:43.236568928 CET	49852	445	192.168.2.9	189.221.206.70
Jan 14, 2025 21:11:43.236771107 CET	49853	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.242067099 CET	445	49853	189.221.206.1	192.168.2.9
Jan 14, 2025 21:11:43.242130995 CET	49853	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.242176056 CET	49853	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.243279934 CET	49854	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.248410940 CET	445	49854	189.221.206.1	192.168.2.9
Jan 14, 2025 21:11:43.248481035 CET	49854	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.248567104 CET	49854	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.248723030 CET	445	49852	189.221.206.70	192.168.2.9
Jan 14, 2025 21:11:43.248735905 CET	445	49853	189.221.206.1	192.168.2.9
Jan 14, 2025 21:11:43.253576040 CET	445	49854	189.221.206.1	192.168.2.9
Jan 14, 2025 21:11:43.253904104 CET	445	49852	189.221.206.70	192.168.2.9
Jan 14, 2025 21:11:43.253963947 CET	49852	445	192.168.2.9	189.221.206.70
Jan 14, 2025 21:11:43.255029917 CET	445	49853	189.221.206.1	192.168.2.9
Jan 14, 2025 21:11:43.255075932 CET	49853	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:11:43.508698940 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:11:45.245430946 CET	49886	445	192.168.2.9	153.157.148.172
Jan 14, 2025 21:11:45.250281096 CET	445	49886	153.157.148.172	192.168.2.9
Jan 14, 2025 21:11:45.250356913 CET	49886	445	192.168.2.9	153.157.148.172
Jan 14, 2025 21:11:45.250514030 CET	49886	445	192.168.2.9	153.157.148.172
Jan 14, 2025 21:11:45.250847101 CET	49888	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.255609035 CET	445	49888	153.157.148.1	192.168.2.9
Jan 14, 2025 21:11:45.255662918 CET	49888	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.255736113 CET	49888	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.256305933 CET	445	49886	153.157.148.172	192.168.2.9
Jan 14, 2025 21:11:45.257380009 CET	49889	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.262173891 CET	445	49889	153.157.148.1	192.168.2.9
Jan 14, 2025 21:11:45.262236118 CET	49889	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.262286901 CET	49889	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.262748003 CET	445	49886	153.157.148.172	192.168.2.9
Jan 14, 2025 21:11:45.262793064 CET	49886	445	192.168.2.9	153.157.148.172
Jan 14, 2025 21:11:45.262947083 CET	445	49888	153.157.148.1	192.168.2.9
Jan 14, 2025 21:11:45.262998104 CET	49888	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:11:45.267141104 CET	445	49889	153.157.148.1	192.168.2.9
Jan 14, 2025 21:11:47.260010958 CET	49924	445	192.168.2.9	192.130.61.132
Jan 14, 2025 21:11:47.264947891 CET	445	49924	192.130.61.132	192.168.2.9
Jan 14, 2025 21:11:47.265024900 CET	49924	445	192.168.2.9	192.130.61.132
Jan 14, 2025 21:11:47.270160913 CET	49924	445	192.168.2.9	192.130.61.132
Jan 14, 2025 21:11:47.270391941 CET	49925	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:47.275232077 CET	445	49925	192.130.61.1	192.168.2.9
Jan 14, 2025 21:11:47.275331974 CET	49925	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:47.275465012 CET	49925	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:47.276273966 CET	445	49924	192.130.61.132	192.168.2.9
Jan 14, 2025 21:11:47.276479006 CET	49927	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:47.281327963 CET	445	49927	192.130.61.1	192.168.2.9
Jan 14, 2025 21:11:47.281410933 CET	49927	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:47.281506062 CET	49927	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:47.284276009 CET	445	49925	192.130.61.1	192.168.2.9
Jan 14, 2025 21:11:47.285885096 CET	445	49924	192.130.61.132	192.168.2.9
Jan 14, 2025 21:11:47.285938025 CET	49924	445	192.168.2.9	192.130.61.132
Jan 14, 2025 21:11:47.286261082 CET	445	49927	192.130.61.1	192.168.2.9
Jan 14, 2025 21:11:47.286792040 CET	445	49925	192.130.61.1	192.168.2.9
Jan 14, 2025 21:11:47.286839008 CET	49925	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:11:49.186892033 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:49.186965942 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:49.187391043 CET	49959	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:49.187439919 CET	443	49959	23.206.229.209	192.168.2.9
Jan 14, 2025 21:11:49.187501907 CET	49959	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:49.187805891 CET	49959	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:49.187824011 CET	443	49959	23.206.229.209	192.168.2.9
Jan 14, 2025 21:11:49.191814899 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 21:11:49.191833973 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 21:11:49.275507927 CET	49961	445	192.168.2.9	14.83.224.183
Jan 14, 2025 21:11:49.280599117 CET	445	49961	14.83.224.183	192.168.2.9
Jan 14, 2025 21:11:49.280674934 CET	49961	445	192.168.2.9	14.83.224.183
Jan 14, 2025 21:11:49.280736923 CET	49961	445	192.168.2.9	14.83.224.183
Jan 14, 2025 21:11:49.280997038 CET	49962	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.285774946 CET	445	49962	14.83.224.1	192.168.2.9
Jan 14, 2025 21:11:49.285826921 CET	445	49961	14.83.224.183	192.168.2.9
Jan 14, 2025 21:11:49.285862923 CET	49962	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.285880089 CET	49962	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.285885096 CET	49961	445	192.168.2.9	14.83.224.183
Jan 14, 2025 21:11:49.287111998 CET	49963	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.291882038 CET	445	49963	14.83.224.1	192.168.2.9
Jan 14, 2025 21:11:49.291944981 CET	49963	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.292031050 CET	49963	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.292290926 CET	445	49962	14.83.224.1	192.168.2.9
Jan 14, 2025 21:11:49.295488119 CET	445	49962	14.83.224.1	192.168.2.9
Jan 14, 2025 21:11:49.295641899 CET	49962	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:11:49.296777964 CET	445	49963	14.83.224.1	192.168.2.9
Jan 14, 2025 21:11:49.786879063 CET	443	49959	23.206.229.209	192.168.2.9
Jan 14, 2025 21:11:49.786978960 CET	49959	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:11:51.290527105 CET	49997	445	192.168.2.9	1.153.139.213
Jan 14, 2025 21:11:51.296464920 CET	445	49997	1.153.139.213	192.168.2.9
Jan 14, 2025 21:11:51.296647072 CET	49997	445	192.168.2.9	1.153.139.213
Jan 14, 2025 21:11:51.296647072 CET	49997	445	192.168.2.9	1.153.139.213
Jan 14, 2025 21:11:51.296813011 CET	49998	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.302719116 CET	445	49998	1.153.139.1	192.168.2.9
Jan 14, 2025 21:11:51.302784920 CET	49998	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.302840948 CET	49998	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.303159952 CET	49999	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.303505898 CET	445	49997	1.153.139.213	192.168.2.9
Jan 14, 2025 21:11:51.303637028 CET	49997	445	192.168.2.9	1.153.139.213
Jan 14, 2025 21:11:51.308832884 CET	445	49998	1.153.139.1	192.168.2.9
Jan 14, 2025 21:11:51.308897018 CET	49998	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.308989048 CET	445	49999	1.153.139.1	192.168.2.9
Jan 14, 2025 21:11:51.309756041 CET	49999	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.309756041 CET	49999	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:11:51.315558910 CET	445	49999	1.153.139.1	192.168.2.9
Jan 14, 2025 21:11:53.306504965 CET	50034	445	192.168.2.9	11.220.125.22
Jan 14, 2025 21:11:53.311485052 CET	445	50034	11.220.125.22	192.168.2.9
Jan 14, 2025 21:11:53.311592102 CET	50034	445	192.168.2.9	11.220.125.22
Jan 14, 2025 21:11:53.311686039 CET	50034	445	192.168.2.9	11.220.125.22
Jan 14, 2025 21:11:53.311867952 CET	50035	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.316781044 CET	445	50035	11.220.125.1	192.168.2.9
Jan 14, 2025 21:11:53.316888094 CET	50035	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.316972017 CET	50035	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.317047119 CET	445	50034	11.220.125.22	192.168.2.9
Jan 14, 2025 21:11:53.317202091 CET	50036	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.317251921 CET	50034	445	192.168.2.9	11.220.125.22
Jan 14, 2025 21:11:53.322123051 CET	445	50036	11.220.125.1	192.168.2.9
Jan 14, 2025 21:11:53.323122025 CET	50036	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.323224068 CET	50036	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.324321985 CET	445	50035	11.220.125.1	192.168.2.9
Jan 14, 2025 21:11:53.324373960 CET	445	50035	11.220.125.1	192.168.2.9
Jan 14, 2025 21:11:53.324490070 CET	50035	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:11:53.328064919 CET	445	50036	11.220.125.1	192.168.2.9
Jan 14, 2025 21:11:55.321702957 CET	50072	445	192.168.2.9	126.147.175.206
Jan 14, 2025 21:11:55.326612949 CET	445	50072	126.147.175.206	192.168.2.9
Jan 14, 2025 21:11:55.326689959 CET	50072	445	192.168.2.9	126.147.175.206
Jan 14, 2025 21:11:55.326710939 CET	50072	445	192.168.2.9	126.147.175.206
Jan 14, 2025 21:11:55.326828957 CET	50073	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.331653118 CET	445	50073	126.147.175.1	192.168.2.9
Jan 14, 2025 21:11:55.331727028 CET	50073	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.331799984 CET	50073	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.332197905 CET	50074	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.332288027 CET	445	50072	126.147.175.206	192.168.2.9
Jan 14, 2025 21:11:55.333347082 CET	445	50072	126.147.175.206	192.168.2.9
Jan 14, 2025 21:11:55.333408117 CET	50072	445	192.168.2.9	126.147.175.206
Jan 14, 2025 21:11:55.337091923 CET	445	50074	126.147.175.1	192.168.2.9
Jan 14, 2025 21:11:55.337162018 CET	50074	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.337193966 CET	50074	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.337291956 CET	445	50073	126.147.175.1	192.168.2.9
Jan 14, 2025 21:11:55.337589979 CET	50073	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:11:55.342108965 CET	445	50074	126.147.175.1	192.168.2.9
Jan 14, 2025 21:11:57.337412119 CET	50105	445	192.168.2.9	168.102.177.212
Jan 14, 2025 21:11:57.342447042 CET	445	50105	168.102.177.212	192.168.2.9
Jan 14, 2025 21:11:57.342533112 CET	50105	445	192.168.2.9	168.102.177.212
Jan 14, 2025 21:11:57.342576027 CET	50105	445	192.168.2.9	168.102.177.212
Jan 14, 2025 21:11:57.342720032 CET	50106	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.347512960 CET	445	50106	168.102.177.1	192.168.2.9
Jan 14, 2025 21:11:57.347578049 CET	50106	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.347592115 CET	50106	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.347614050 CET	445	50105	168.102.177.212	192.168.2.9
Jan 14, 2025 21:11:57.347676039 CET	50105	445	192.168.2.9	168.102.177.212
Jan 14, 2025 21:11:57.347882032 CET	50107	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.352560043 CET	445	50106	168.102.177.1	192.168.2.9
Jan 14, 2025 21:11:57.352608919 CET	50106	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.352654934 CET	445	50107	168.102.177.1	192.168.2.9
Jan 14, 2025 21:11:57.352718115 CET	50107	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.352771044 CET	50107	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:11:57.357564926 CET	445	50107	168.102.177.1	192.168.2.9
Jan 14, 2025 21:11:59.353022099 CET	50140	445	192.168.2.9	58.51.75.195
Jan 14, 2025 21:11:59.359275103 CET	445	50140	58.51.75.195	192.168.2.9
Jan 14, 2025 21:11:59.359378099 CET	50140	445	192.168.2.9	58.51.75.195
Jan 14, 2025 21:11:59.359447956 CET	50140	445	192.168.2.9	58.51.75.195
Jan 14, 2025 21:11:59.359582901 CET	50141	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.365221024 CET	445	50140	58.51.75.195	192.168.2.9
Jan 14, 2025 21:11:59.365302086 CET	50140	445	192.168.2.9	58.51.75.195
Jan 14, 2025 21:11:59.365504026 CET	445	50141	58.51.75.1	192.168.2.9
Jan 14, 2025 21:11:59.365580082 CET	50141	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.365638018 CET	50141	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.365930080 CET	50142	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.371834040 CET	445	50142	58.51.75.1	192.168.2.9
Jan 14, 2025 21:11:59.371913910 CET	50142	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.371938944 CET	445	50141	58.51.75.1	192.168.2.9
Jan 14, 2025 21:11:59.371941090 CET	50142	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.371989965 CET	50141	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:11:59.376760006 CET	445	50142	58.51.75.1	192.168.2.9
Jan 14, 2025 21:12:00.621687889 CET	445	49778	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:00.622034073 CET	49778	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:00.622119904 CET	49778	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:00.622119904 CET	49778	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:00.626890898 CET	445	49778	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:00.626909018 CET	445	49778	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:01.380669117 CET	50179	445	192.168.2.9	2.65.247.53
Jan 14, 2025 21:12:01.385476112 CET	445	50179	2.65.247.53	192.168.2.9
Jan 14, 2025 21:12:01.385550022 CET	50179	445	192.168.2.9	2.65.247.53
Jan 14, 2025 21:12:01.385596037 CET	50179	445	192.168.2.9	2.65.247.53
Jan 14, 2025 21:12:01.385761976 CET	50180	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.390588045 CET	445	50180	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:01.390666008 CET	50180	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.390712976 CET	50180	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.390961885 CET	445	50179	2.65.247.53	192.168.2.9
Jan 14, 2025 21:12:01.391012907 CET	50179	445	192.168.2.9	2.65.247.53
Jan 14, 2025 21:12:01.391073942 CET	50181	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.395620108 CET	445	50180	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:01.395675898 CET	50180	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.395942926 CET	445	50181	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:01.396290064 CET	50181	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.396322966 CET	50181	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:01.401094913 CET	445	50181	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:02.639494896 CET	445	49815	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:02.639658928 CET	49815	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:02.639765978 CET	49815	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:02.639847040 CET	49815	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:02.644646883 CET	445	49815	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:02.644682884 CET	445	49815	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:03.495122910 CET	50214	445	192.168.2.9	83.144.215.228
Jan 14, 2025 21:12:03.499948978 CET	445	50214	83.144.215.228	192.168.2.9
Jan 14, 2025 21:12:03.499996901 CET	50214	445	192.168.2.9	83.144.215.228
Jan 14, 2025 21:12:03.500071049 CET	50214	445	192.168.2.9	83.144.215.228
Jan 14, 2025 21:12:03.500416994 CET	50217	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.504975080 CET	445	50214	83.144.215.228	192.168.2.9
Jan 14, 2025 21:12:03.505017042 CET	50214	445	192.168.2.9	83.144.215.228
Jan 14, 2025 21:12:03.505189896 CET	445	50217	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:03.505237103 CET	50217	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.505486012 CET	50217	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.505825043 CET	50219	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.510221958 CET	445	50217	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:03.510262012 CET	50217	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.510575056 CET	445	50219	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:03.510620117 CET	50219	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.510682106 CET	50219	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:03.515399933 CET	445	50219	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:03.634111881 CET	50224	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:03.638952971 CET	445	50224	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:03.639004946 CET	50224	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:03.639046907 CET	50224	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:03.643811941 CET	445	50224	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:04.590909958 CET	445	49854	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:04.591049910 CET	49854	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:04.591049910 CET	49854	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:04.591146946 CET	49854	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:04.595932007 CET	445	49854	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:04.595942974 CET	445	49854	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:05.433681965 CET	50236	445	192.168.2.9	145.91.202.42
Jan 14, 2025 21:12:05.438613892 CET	445	50236	145.91.202.42	192.168.2.9
Jan 14, 2025 21:12:05.438725948 CET	50236	445	192.168.2.9	145.91.202.42
Jan 14, 2025 21:12:05.438922882 CET	50236	445	192.168.2.9	145.91.202.42
Jan 14, 2025 21:12:05.438934088 CET	50237	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.443798065 CET	445	50237	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:05.443809986 CET	445	50236	145.91.202.42	192.168.2.9
Jan 14, 2025 21:12:05.443902969 CET	50236	445	192.168.2.9	145.91.202.42
Jan 14, 2025 21:12:05.443911076 CET	50237	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.444123983 CET	50237	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.444474936 CET	50238	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.448925018 CET	445	50237	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:05.449105978 CET	50237	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.449316025 CET	445	50238	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:05.451771975 CET	50238	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.451834917 CET	50238	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:05.456631899 CET	445	50238	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:05.649709940 CET	50239	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:05.654906034 CET	445	50239	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:05.654985905 CET	50239	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:05.655055046 CET	50239	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:05.659859896 CET	445	50239	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:06.606246948 CET	445	49889	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:06.606376886 CET	49889	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:06.606460094 CET	49889	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:06.606564045 CET	49889	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:06.611248016 CET	445	49889	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:06.611295938 CET	445	49889	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:07.446768999 CET	50254	445	192.168.2.9	183.48.5.237
Jan 14, 2025 21:12:07.451848984 CET	445	50254	183.48.5.237	192.168.2.9
Jan 14, 2025 21:12:07.451931953 CET	50254	445	192.168.2.9	183.48.5.237
Jan 14, 2025 21:12:07.452023029 CET	50254	445	192.168.2.9	183.48.5.237
Jan 14, 2025 21:12:07.452188015 CET	50255	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.457004070 CET	445	50254	183.48.5.237	192.168.2.9
Jan 14, 2025 21:12:07.457057953 CET	50254	445	192.168.2.9	183.48.5.237
Jan 14, 2025 21:12:07.457101107 CET	445	50255	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:07.457190990 CET	50255	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.457216024 CET	50255	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.457546949 CET	50256	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.462349892 CET	445	50255	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:07.462400913 CET	50255	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.462555885 CET	445	50256	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:07.462615013 CET	50256	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.462644100 CET	50256	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:07.467917919 CET	445	50256	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:07.611008883 CET	50258	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:07.615956068 CET	445	50258	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:07.616039991 CET	50258	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:07.616199017 CET	50258	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:07.620945930 CET	445	50258	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:08.654908895 CET	445	49927	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:08.655050993 CET	49927	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:08.655050993 CET	49927	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:08.655142069 CET	49927	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:08.659806967 CET	445	49927	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:08.659854889 CET	445	49927	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:08.963254929 CET	443	49959	23.206.229.209	192.168.2.9
Jan 14, 2025 21:12:08.963977098 CET	49959	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:12:09.462295055 CET	50269	445	192.168.2.9	187.16.168.99
Jan 14, 2025 21:12:09.467187881 CET	445	50269	187.16.168.99	192.168.2.9
Jan 14, 2025 21:12:09.467291117 CET	50269	445	192.168.2.9	187.16.168.99
Jan 14, 2025 21:12:09.467291117 CET	50269	445	192.168.2.9	187.16.168.99
Jan 14, 2025 21:12:09.467499018 CET	50270	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.472413063 CET	445	50269	187.16.168.99	192.168.2.9
Jan 14, 2025 21:12:09.472443104 CET	445	50269	187.16.168.99	192.168.2.9
Jan 14, 2025 21:12:09.472472906 CET	445	50270	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:09.472496986 CET	50269	445	192.168.2.9	187.16.168.99
Jan 14, 2025 21:12:09.472553015 CET	50270	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.472642899 CET	50270	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.472954988 CET	50271	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.477559090 CET	445	50270	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:09.477683067 CET	50270	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.477802992 CET	445	50271	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:09.477861881 CET	50271	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.477889061 CET	50271	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:09.482687950 CET	445	50271	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:09.621969938 CET	50274	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:09.626786947 CET	445	50274	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:09.626848936 CET	50274	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:09.626888037 CET	50274	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:09.631638050 CET	445	50274	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:10.637715101 CET	445	49963	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:10.637789011 CET	49963	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:10.637839079 CET	49963	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:10.637927055 CET	49963	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:10.642610073 CET	445	49963	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:10.642644882 CET	445	49963	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:11.477982044 CET	50288	445	192.168.2.9	189.79.98.248
Jan 14, 2025 21:12:11.482894897 CET	445	50288	189.79.98.248	192.168.2.9
Jan 14, 2025 21:12:11.483067989 CET	50288	445	192.168.2.9	189.79.98.248
Jan 14, 2025 21:12:11.483103991 CET	50288	445	192.168.2.9	189.79.98.248
Jan 14, 2025 21:12:11.483314991 CET	50289	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.487994909 CET	445	50288	189.79.98.248	192.168.2.9
Jan 14, 2025 21:12:11.488049030 CET	50288	445	192.168.2.9	189.79.98.248
Jan 14, 2025 21:12:11.489684105 CET	445	50289	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:11.489820957 CET	50289	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.489821911 CET	50289	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.490060091 CET	50290	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.494774103 CET	445	50289	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:11.494832993 CET	50289	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.495374918 CET	445	50290	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:11.495434046 CET	50290	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.495454073 CET	50290	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:11.500215054 CET	445	50290	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:11.665405035 CET	50291	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:11.670327902 CET	445	50291	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:11.670409918 CET	50291	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:11.670496941 CET	50291	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:11.675348043 CET	445	50291	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:12.702173948 CET	445	49999	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:12.704395056 CET	49999	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:12.705343962 CET	49999	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:12.705450058 CET	49999	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:12.710184097 CET	445	49999	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:12.710210085 CET	445	49999	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:13.495155096 CET	50294	445	192.168.2.9	159.61.241.64
Jan 14, 2025 21:12:13.500164032 CET	445	50294	159.61.241.64	192.168.2.9
Jan 14, 2025 21:12:13.500241995 CET	50294	445	192.168.2.9	159.61.241.64
Jan 14, 2025 21:12:13.500282049 CET	50294	445	192.168.2.9	159.61.241.64
Jan 14, 2025 21:12:13.500510931 CET	50295	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.505337000 CET	445	50294	159.61.241.64	192.168.2.9
Jan 14, 2025 21:12:13.505419016 CET	50294	445	192.168.2.9	159.61.241.64
Jan 14, 2025 21:12:13.505434990 CET	445	50295	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:13.505599022 CET	50295	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.505599022 CET	50295	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.505902052 CET	50296	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.510710955 CET	445	50295	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:13.510768890 CET	50295	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.510770082 CET	445	50296	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:13.510838032 CET	50296	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.510894060 CET	50296	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:13.516697884 CET	445	50296	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:13.649954081 CET	50297	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:13.654928923 CET	445	50297	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:13.655009985 CET	50297	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:13.655061007 CET	50297	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:13.659818888 CET	445	50297	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:14.684684038 CET	445	50036	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:14.684837103 CET	50036	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:14.684838057 CET	50036	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:14.684932947 CET	50036	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:14.689862013 CET	445	50036	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:14.689877987 CET	445	50036	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:15.368606091 CET	50298	445	192.168.2.9	7.224.74.160
Jan 14, 2025 21:12:15.373541117 CET	445	50298	7.224.74.160	192.168.2.9
Jan 14, 2025 21:12:15.373684883 CET	50298	445	192.168.2.9	7.224.74.160
Jan 14, 2025 21:12:15.373720884 CET	50298	445	192.168.2.9	7.224.74.160
Jan 14, 2025 21:12:15.373934031 CET	50299	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.378793001 CET	445	50299	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:15.378901958 CET	50299	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.378961086 CET	50299	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.379303932 CET	50300	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.379729986 CET	445	50298	7.224.74.160	192.168.2.9
Jan 14, 2025 21:12:15.379905939 CET	50298	445	192.168.2.9	7.224.74.160
Jan 14, 2025 21:12:15.384073973 CET	445	50299	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:15.384100914 CET	445	50300	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:15.384162903 CET	50300	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.384169102 CET	50299	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.384227037 CET	50300	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:15.389055967 CET	445	50300	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:15.712070942 CET	50301	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:15.717125893 CET	445	50301	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:15.717201948 CET	50301	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:15.717247009 CET	50301	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:15.722085953 CET	445	50301	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:16.735521078 CET	445	50074	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:16.735661983 CET	50074	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:16.735662937 CET	50074	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:16.735748053 CET	50074	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:16.740685940 CET	445	50074	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:16.740717888 CET	445	50074	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:17.121690989 CET	50302	445	192.168.2.9	73.53.142.49
Jan 14, 2025 21:12:17.126610041 CET	445	50302	73.53.142.49	192.168.2.9
Jan 14, 2025 21:12:17.126787901 CET	50302	445	192.168.2.9	73.53.142.49
Jan 14, 2025 21:12:17.126787901 CET	50302	445	192.168.2.9	73.53.142.49
Jan 14, 2025 21:12:17.127032042 CET	50303	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.131755114 CET	445	50302	73.53.142.49	192.168.2.9
Jan 14, 2025 21:12:17.131793022 CET	445	50303	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:17.131886005 CET	50302	445	192.168.2.9	73.53.142.49
Jan 14, 2025 21:12:17.131896019 CET	50303	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.132038116 CET	50303	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.133683920 CET	50304	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.137029886 CET	445	50303	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:17.137166977 CET	50303	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.138500929 CET	445	50304	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:17.138602972 CET	50304	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.139332056 CET	50304	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:17.144109011 CET	445	50304	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:17.696646929 CET	50305	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:17.701632023 CET	445	50305	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:17.701853037 CET	50305	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:17.701853037 CET	50305	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:17.706702948 CET	445	50305	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:18.733203888 CET	445	50107	168.102.177.1	192.168.2.9
Jan 14, 2025 21:12:18.733273029 CET	50107	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:18.733310938 CET	50107	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:18.733350992 CET	50107	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:18.738188982 CET	445	50107	168.102.177.1	192.168.2.9
Jan 14, 2025 21:12:18.738200903 CET	445	50107	168.102.177.1	192.168.2.9
Jan 14, 2025 21:12:18.759252071 CET	50306	445	192.168.2.9	199.34.37.89
Jan 14, 2025 21:12:18.764173985 CET	445	50306	199.34.37.89	192.168.2.9
Jan 14, 2025 21:12:18.764256001 CET	50306	445	192.168.2.9	199.34.37.89
Jan 14, 2025 21:12:18.764292002 CET	50306	445	192.168.2.9	199.34.37.89
Jan 14, 2025 21:12:18.764410019 CET	50307	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.769160986 CET	445	50307	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:18.769232035 CET	50307	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.769237995 CET	445	50306	199.34.37.89	192.168.2.9
Jan 14, 2025 21:12:18.769287109 CET	50306	445	192.168.2.9	199.34.37.89
Jan 14, 2025 21:12:18.769412041 CET	50307	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.770015955 CET	50308	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.774241924 CET	445	50307	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:18.774436951 CET	50307	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.774764061 CET	445	50308	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:18.775038958 CET	50308	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.775038958 CET	50308	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:18.779890060 CET	445	50308	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:19.743292093 CET	50309	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:19.748094082 CET	445	50309	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:19.748181105 CET	50309	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:19.748239994 CET	50309	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:19.752996922 CET	445	50309	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:20.290520906 CET	50310	445	192.168.2.9	165.95.110.177
Jan 14, 2025 21:12:20.295953989 CET	445	50310	165.95.110.177	192.168.2.9
Jan 14, 2025 21:12:20.296049118 CET	50310	445	192.168.2.9	165.95.110.177
Jan 14, 2025 21:12:20.296143055 CET	50310	445	192.168.2.9	165.95.110.177
Jan 14, 2025 21:12:20.296331882 CET	50311	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.301161051 CET	445	50311	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:20.301280022 CET	50311	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.301347017 CET	50311	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.301552057 CET	445	50310	165.95.110.177	192.168.2.9
Jan 14, 2025 21:12:20.301609039 CET	50310	445	192.168.2.9	165.95.110.177
Jan 14, 2025 21:12:20.301776886 CET	50312	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.306503057 CET	445	50311	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:20.306560993 CET	50311	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.306628942 CET	445	50312	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:20.306694031 CET	50312	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.306744099 CET	50312	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:20.311536074 CET	445	50312	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:20.751451969 CET	445	50142	58.51.75.1	192.168.2.9
Jan 14, 2025 21:12:20.751517057 CET	50142	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:20.751559973 CET	50142	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:20.751605988 CET	50142	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:20.757283926 CET	445	50142	58.51.75.1	192.168.2.9
Jan 14, 2025 21:12:20.757297993 CET	445	50142	58.51.75.1	192.168.2.9
Jan 14, 2025 21:12:21.712647915 CET	50313	445	192.168.2.9	195.147.126.241
Jan 14, 2025 21:12:21.743612051 CET	50314	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:21.761543989 CET	445	50313	195.147.126.241	192.168.2.9
Jan 14, 2025 21:12:21.761558056 CET	445	50314	168.102.177.1	192.168.2.9
Jan 14, 2025 21:12:21.761914015 CET	50313	445	192.168.2.9	195.147.126.241
Jan 14, 2025 21:12:21.762067080 CET	50314	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:21.762069941 CET	50313	445	192.168.2.9	195.147.126.241
Jan 14, 2025 21:12:21.762319088 CET	50314	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:21.762403011 CET	50315	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.767057896 CET	445	50313	195.147.126.241	192.168.2.9
Jan 14, 2025 21:12:21.767110109 CET	445	50314	168.102.177.1	192.168.2.9
Jan 14, 2025 21:12:21.767296076 CET	445	50315	195.147.126.1	192.168.2.9
Jan 14, 2025 21:12:21.767378092 CET	50313	445	192.168.2.9	195.147.126.241
Jan 14, 2025 21:12:21.767430067 CET	50315	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.767520905 CET	50315	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.767865896 CET	50316	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.772775888 CET	445	50315	195.147.126.1	192.168.2.9
Jan 14, 2025 21:12:21.772795916 CET	445	50316	195.147.126.1	192.168.2.9
Jan 14, 2025 21:12:21.773791075 CET	50315	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.773813963 CET	50316	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.773854971 CET	50316	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:21.778624058 CET	445	50316	195.147.126.1	192.168.2.9
Jan 14, 2025 21:12:22.815443039 CET	445	50181	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:22.815629959 CET	50181	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:22.815790892 CET	50181	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:22.816093922 CET	50181	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:22.820686102 CET	445	50181	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:22.820949078 CET	445	50181	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:23.040636063 CET	50317	445	192.168.2.9	221.101.136.206
Jan 14, 2025 21:12:23.045772076 CET	445	50317	221.101.136.206	192.168.2.9
Jan 14, 2025 21:12:23.045890093 CET	50317	445	192.168.2.9	221.101.136.206
Jan 14, 2025 21:12:23.046011925 CET	50317	445	192.168.2.9	221.101.136.206
Jan 14, 2025 21:12:23.046241999 CET	50318	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.051028967 CET	445	50317	221.101.136.206	192.168.2.9
Jan 14, 2025 21:12:23.051100016 CET	445	50318	221.101.136.1	192.168.2.9
Jan 14, 2025 21:12:23.051110029 CET	50317	445	192.168.2.9	221.101.136.206
Jan 14, 2025 21:12:23.051167965 CET	50318	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.051227093 CET	50318	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.051558018 CET	50319	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.056191921 CET	445	50318	221.101.136.1	192.168.2.9
Jan 14, 2025 21:12:23.056248903 CET	50318	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.056461096 CET	445	50319	221.101.136.1	192.168.2.9
Jan 14, 2025 21:12:23.056520939 CET	50319	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.056586027 CET	50319	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:23.061399937 CET	445	50319	221.101.136.1	192.168.2.9
Jan 14, 2025 21:12:23.384093046 CET	49705	80	192.168.2.9	199.232.214.172
Jan 14, 2025 21:12:23.389250994 CET	80	49705	199.232.214.172	192.168.2.9
Jan 14, 2025 21:12:23.389389038 CET	49705	80	192.168.2.9	199.232.214.172
Jan 14, 2025 21:12:23.759015083 CET	50320	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:23.764019012 CET	445	50320	58.51.75.1	192.168.2.9
Jan 14, 2025 21:12:23.764760017 CET	50320	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:23.764789104 CET	50320	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:23.769552946 CET	445	50320	58.51.75.1	192.168.2.9
Jan 14, 2025 21:12:24.274885893 CET	50321	445	192.168.2.9	165.79.21.227
Jan 14, 2025 21:12:24.279902935 CET	445	50321	165.79.21.227	192.168.2.9
Jan 14, 2025 21:12:24.279983997 CET	50321	445	192.168.2.9	165.79.21.227
Jan 14, 2025 21:12:24.280014992 CET	50321	445	192.168.2.9	165.79.21.227
Jan 14, 2025 21:12:24.280209064 CET	50322	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.285100937 CET	445	50321	165.79.21.227	192.168.2.9
Jan 14, 2025 21:12:24.285119057 CET	445	50322	165.79.21.1	192.168.2.9
Jan 14, 2025 21:12:24.285178900 CET	50321	445	192.168.2.9	165.79.21.227
Jan 14, 2025 21:12:24.285202980 CET	50322	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.285275936 CET	50322	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.285528898 CET	50323	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.290168047 CET	445	50322	165.79.21.1	192.168.2.9
Jan 14, 2025 21:12:24.290357113 CET	445	50323	165.79.21.1	192.168.2.9
Jan 14, 2025 21:12:24.290440083 CET	50322	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.290457964 CET	50323	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.290509939 CET	50323	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:24.295336008 CET	445	50323	165.79.21.1	192.168.2.9
Jan 14, 2025 21:12:24.888732910 CET	445	50219	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:24.888806105 CET	50219	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:24.888853073 CET	50219	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:24.888876915 CET	50219	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:24.893682957 CET	445	50219	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:24.893702030 CET	445	50219	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:25.014998913 CET	445	50224	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:25.015331984 CET	50224	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:25.015331984 CET	50224	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:25.015388966 CET	50224	445	192.168.2.9	174.249.30.1
Jan 14, 2025 21:12:25.020241976 CET	445	50224	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:25.020262003 CET	445	50224	174.249.30.1	192.168.2.9
Jan 14, 2025 21:12:25.071779013 CET	50324	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.076807022 CET	445	50324	174.249.30.2	192.168.2.9
Jan 14, 2025 21:12:25.077773094 CET	50324	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.077816963 CET	50324	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.078253984 CET	50325	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.082896948 CET	445	50324	174.249.30.2	192.168.2.9
Jan 14, 2025 21:12:25.083117008 CET	445	50325	174.249.30.2	192.168.2.9
Jan 14, 2025 21:12:25.083179951 CET	50324	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.083319902 CET	50325	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.085714102 CET	50325	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:25.090482950 CET	445	50325	174.249.30.2	192.168.2.9
Jan 14, 2025 21:12:25.431195021 CET	50327	445	192.168.2.9	160.141.203.86
Jan 14, 2025 21:12:25.436117887 CET	445	50327	160.141.203.86	192.168.2.9
Jan 14, 2025 21:12:25.436197996 CET	50327	445	192.168.2.9	160.141.203.86
Jan 14, 2025 21:12:25.436274052 CET	50327	445	192.168.2.9	160.141.203.86
Jan 14, 2025 21:12:25.436419964 CET	50328	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.441395044 CET	445	50327	160.141.203.86	192.168.2.9
Jan 14, 2025 21:12:25.441411972 CET	445	50328	160.141.203.1	192.168.2.9
Jan 14, 2025 21:12:25.441452026 CET	50327	445	192.168.2.9	160.141.203.86
Jan 14, 2025 21:12:25.441490889 CET	50328	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.441561937 CET	50328	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.442051888 CET	50329	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.446490049 CET	445	50328	160.141.203.1	192.168.2.9
Jan 14, 2025 21:12:25.446540117 CET	50328	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.446964025 CET	445	50329	160.141.203.1	192.168.2.9
Jan 14, 2025 21:12:25.447307110 CET	50329	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.447343111 CET	50329	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:25.452096939 CET	445	50329	160.141.203.1	192.168.2.9
Jan 14, 2025 21:12:25.821456909 CET	50330	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:25.826447010 CET	445	50330	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:25.826524973 CET	50330	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:25.826580048 CET	50330	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:25.831360102 CET	445	50330	2.65.247.1	192.168.2.9
Jan 14, 2025 21:12:26.509176970 CET	50331	445	192.168.2.9	126.233.201.152
Jan 14, 2025 21:12:26.514048100 CET	445	50331	126.233.201.152	192.168.2.9
Jan 14, 2025 21:12:26.514117002 CET	50331	445	192.168.2.9	126.233.201.152
Jan 14, 2025 21:12:26.514163017 CET	50331	445	192.168.2.9	126.233.201.152
Jan 14, 2025 21:12:26.514323950 CET	50332	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.519094944 CET	445	50332	126.233.201.1	192.168.2.9
Jan 14, 2025 21:12:26.519160032 CET	50332	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.519191027 CET	50332	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.519298077 CET	445	50331	126.233.201.152	192.168.2.9
Jan 14, 2025 21:12:26.519351006 CET	50331	445	192.168.2.9	126.233.201.152
Jan 14, 2025 21:12:26.519517899 CET	50333	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.524286032 CET	445	50332	126.233.201.1	192.168.2.9
Jan 14, 2025 21:12:26.524368048 CET	445	50333	126.233.201.1	192.168.2.9
Jan 14, 2025 21:12:26.524380922 CET	50332	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.524421930 CET	50333	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.524454117 CET	50333	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:26.529201984 CET	445	50333	126.233.201.1	192.168.2.9
Jan 14, 2025 21:12:26.811487913 CET	445	50238	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:26.811558008 CET	50238	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:26.811593056 CET	50238	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:26.811640024 CET	50238	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:26.816416979 CET	445	50238	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:26.816432953 CET	445	50238	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:27.012928963 CET	445	50239	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:27.013008118 CET	50239	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:27.013079882 CET	50239	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:27.013160944 CET	50239	445	192.168.2.9	180.146.240.1
Jan 14, 2025 21:12:27.017982006 CET	445	50239	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:27.018084049 CET	445	50239	180.146.240.1	192.168.2.9
Jan 14, 2025 21:12:27.071538925 CET	50334	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.076467037 CET	445	50334	180.146.240.2	192.168.2.9
Jan 14, 2025 21:12:27.076530933 CET	50334	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.076576948 CET	50334	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.076927900 CET	50335	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.081470013 CET	445	50334	180.146.240.2	192.168.2.9
Jan 14, 2025 21:12:27.081536055 CET	50334	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.081741095 CET	445	50335	180.146.240.2	192.168.2.9
Jan 14, 2025 21:12:27.081808090 CET	50335	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.081837893 CET	50335	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:27.086595058 CET	445	50335	180.146.240.2	192.168.2.9
Jan 14, 2025 21:12:27.524868011 CET	50336	445	192.168.2.9	206.89.121.225
Jan 14, 2025 21:12:27.529762030 CET	445	50336	206.89.121.225	192.168.2.9
Jan 14, 2025 21:12:27.529850960 CET	50336	445	192.168.2.9	206.89.121.225
Jan 14, 2025 21:12:27.529870987 CET	50336	445	192.168.2.9	206.89.121.225
Jan 14, 2025 21:12:27.530133963 CET	50337	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:27.534976959 CET	445	50337	206.89.121.1	192.168.2.9
Jan 14, 2025 21:12:27.534989119 CET	445	50336	206.89.121.225	192.168.2.9
Jan 14, 2025 21:12:27.535051107 CET	50336	445	192.168.2.9	206.89.121.225
Jan 14, 2025 21:12:27.535062075 CET	50337	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:27.535439014 CET	50338	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:27.539995909 CET	445	50337	206.89.121.1	192.168.2.9
Jan 14, 2025 21:12:27.540097952 CET	50337	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:27.540211916 CET	445	50338	206.89.121.1	192.168.2.9
Jan 14, 2025 21:12:27.540266991 CET	50338	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:27.540290117 CET	50338	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:27.545033932 CET	445	50338	206.89.121.1	192.168.2.9
Jan 14, 2025 21:12:27.899709940 CET	50339	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:27.904613018 CET	445	50339	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:27.904719114 CET	50339	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:27.904756069 CET	50339	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:27.909535885 CET	445	50339	83.144.215.1	192.168.2.9
Jan 14, 2025 21:12:28.462403059 CET	50340	445	192.168.2.9	33.196.217.90
Jan 14, 2025 21:12:28.467375994 CET	445	50340	33.196.217.90	192.168.2.9
Jan 14, 2025 21:12:28.467454910 CET	50340	445	192.168.2.9	33.196.217.90
Jan 14, 2025 21:12:28.467519045 CET	50340	445	192.168.2.9	33.196.217.90
Jan 14, 2025 21:12:28.467665911 CET	50341	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.472493887 CET	445	50340	33.196.217.90	192.168.2.9
Jan 14, 2025 21:12:28.472507000 CET	445	50341	33.196.217.1	192.168.2.9
Jan 14, 2025 21:12:28.472554922 CET	50340	445	192.168.2.9	33.196.217.90
Jan 14, 2025 21:12:28.472579002 CET	50341	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.472635984 CET	50341	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.472892046 CET	50342	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.477654934 CET	445	50341	33.196.217.1	192.168.2.9
Jan 14, 2025 21:12:28.477665901 CET	445	50342	33.196.217.1	192.168.2.9
Jan 14, 2025 21:12:28.477709055 CET	50341	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.477735996 CET	50342	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.477814913 CET	50342	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:28.482645035 CET	445	50342	33.196.217.1	192.168.2.9
Jan 14, 2025 21:12:28.809938908 CET	445	50256	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:28.810031891 CET	50256	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:28.810101986 CET	50256	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:28.810169935 CET	50256	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:28.815025091 CET	445	50256	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:28.815058947 CET	445	50256	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:28.983989954 CET	445	50258	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:28.984191895 CET	50258	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:28.984313965 CET	50258	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:28.984374046 CET	50258	445	192.168.2.9	189.221.206.1
Jan 14, 2025 21:12:28.989067078 CET	445	50258	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:28.989171982 CET	445	50258	189.221.206.1	192.168.2.9
Jan 14, 2025 21:12:29.040541887 CET	50343	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.045696974 CET	445	50343	189.221.206.2	192.168.2.9
Jan 14, 2025 21:12:29.047897100 CET	50343	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.047897100 CET	50343	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.048199892 CET	50344	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.053064108 CET	445	50344	189.221.206.2	192.168.2.9
Jan 14, 2025 21:12:29.055793047 CET	50344	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.055813074 CET	50344	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.060300112 CET	445	50343	189.221.206.2	192.168.2.9
Jan 14, 2025 21:12:29.060573101 CET	445	50344	189.221.206.2	192.168.2.9
Jan 14, 2025 21:12:29.071997881 CET	445	50343	189.221.206.2	192.168.2.9
Jan 14, 2025 21:12:29.075870037 CET	50343	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:29.337985992 CET	50345	445	192.168.2.9	104.136.62.55
Jan 14, 2025 21:12:29.342809916 CET	445	50345	104.136.62.55	192.168.2.9
Jan 14, 2025 21:12:29.344789982 CET	50345	445	192.168.2.9	104.136.62.55
Jan 14, 2025 21:12:29.346770048 CET	50345	445	192.168.2.9	104.136.62.55
Jan 14, 2025 21:12:29.346959114 CET	50346	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.351677895 CET	445	50346	104.136.62.1	192.168.2.9
Jan 14, 2025 21:12:29.352252007 CET	445	50345	104.136.62.55	192.168.2.9
Jan 14, 2025 21:12:29.352327108 CET	50346	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.352365017 CET	50346	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.352750063 CET	50347	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.354274988 CET	445	50345	104.136.62.55	192.168.2.9
Jan 14, 2025 21:12:29.356761932 CET	50345	445	192.168.2.9	104.136.62.55
Jan 14, 2025 21:12:29.357175112 CET	445	50346	104.136.62.1	192.168.2.9
Jan 14, 2025 21:12:29.357502937 CET	445	50347	104.136.62.1	192.168.2.9
Jan 14, 2025 21:12:29.357666016 CET	50346	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.357698917 CET	50347	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.357810020 CET	50347	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:29.362643003 CET	445	50347	104.136.62.1	192.168.2.9
Jan 14, 2025 21:12:29.821820974 CET	50348	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:29.826668024 CET	445	50348	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:29.828778028 CET	50348	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:29.828831911 CET	50348	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:29.833616972 CET	445	50348	145.91.202.1	192.168.2.9
Jan 14, 2025 21:12:30.165904999 CET	50349	445	192.168.2.9	182.119.252.121
Jan 14, 2025 21:12:30.170907974 CET	445	50349	182.119.252.121	192.168.2.9
Jan 14, 2025 21:12:30.171282053 CET	50349	445	192.168.2.9	182.119.252.121
Jan 14, 2025 21:12:30.171299934 CET	50349	445	192.168.2.9	182.119.252.121
Jan 14, 2025 21:12:30.171436071 CET	50350	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.176301956 CET	445	50350	182.119.252.1	192.168.2.9
Jan 14, 2025 21:12:30.176357985 CET	445	50349	182.119.252.121	192.168.2.9
Jan 14, 2025 21:12:30.176393986 CET	445	50349	182.119.252.121	192.168.2.9
Jan 14, 2025 21:12:30.176485062 CET	50350	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.176578999 CET	50349	445	192.168.2.9	182.119.252.121
Jan 14, 2025 21:12:30.176660061 CET	50350	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.176974058 CET	50351	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.181476116 CET	445	50350	182.119.252.1	192.168.2.9
Jan 14, 2025 21:12:30.181596994 CET	50350	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.181859970 CET	445	50351	182.119.252.1	192.168.2.9
Jan 14, 2025 21:12:30.181983948 CET	50351	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.182029009 CET	50351	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:30.186845064 CET	445	50351	182.119.252.1	192.168.2.9
Jan 14, 2025 21:12:30.856817961 CET	445	50271	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:30.857778072 CET	50271	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:30.857830048 CET	50271	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:30.857873917 CET	50271	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:30.862711906 CET	445	50271	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:30.862721920 CET	445	50271	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:30.931265116 CET	50352	445	192.168.2.9	126.247.214.152
Jan 14, 2025 21:12:30.936244011 CET	445	50352	126.247.214.152	192.168.2.9
Jan 14, 2025 21:12:30.936391115 CET	50352	445	192.168.2.9	126.247.214.152
Jan 14, 2025 21:12:30.936391115 CET	50352	445	192.168.2.9	126.247.214.152
Jan 14, 2025 21:12:30.936595917 CET	50353	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.941458941 CET	445	50353	126.247.214.1	192.168.2.9
Jan 14, 2025 21:12:30.941538095 CET	445	50352	126.247.214.152	192.168.2.9
Jan 14, 2025 21:12:30.941557884 CET	50353	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.941631079 CET	50353	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.941648960 CET	50352	445	192.168.2.9	126.247.214.152
Jan 14, 2025 21:12:30.942001104 CET	50354	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.946563959 CET	445	50353	126.247.214.1	192.168.2.9
Jan 14, 2025 21:12:30.946628094 CET	50353	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.946790934 CET	445	50354	126.247.214.1	192.168.2.9
Jan 14, 2025 21:12:30.946937084 CET	50354	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.946979046 CET	50354	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:30.951720953 CET	445	50354	126.247.214.1	192.168.2.9
Jan 14, 2025 21:12:31.001101017 CET	445	50274	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:31.001257896 CET	50274	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:31.001305103 CET	50274	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:31.001411915 CET	50274	445	192.168.2.9	153.157.148.1
Jan 14, 2025 21:12:31.006167889 CET	445	50274	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:31.006198883 CET	445	50274	153.157.148.1	192.168.2.9
Jan 14, 2025 21:12:31.056452990 CET	50355	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.061543941 CET	445	50355	153.157.148.2	192.168.2.9
Jan 14, 2025 21:12:31.061748028 CET	50355	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.066505909 CET	50355	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.067151070 CET	50356	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.071365118 CET	445	50355	153.157.148.2	192.168.2.9
Jan 14, 2025 21:12:31.071434021 CET	50355	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.072026014 CET	445	50356	153.157.148.2	192.168.2.9
Jan 14, 2025 21:12:31.072171926 CET	50356	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.072210073 CET	50356	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:31.076976061 CET	445	50356	153.157.148.2	192.168.2.9
Jan 14, 2025 21:12:31.821628094 CET	50358	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:31.826565981 CET	445	50358	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:31.829402924 CET	50358	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:31.832328081 CET	50358	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:31.837152004 CET	445	50358	183.48.5.1	192.168.2.9
Jan 14, 2025 21:12:32.891988993 CET	445	50290	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:32.892121077 CET	50290	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:32.892209053 CET	50290	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:32.892251015 CET	50290	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:32.897078037 CET	445	50290	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:32.897188902 CET	445	50290	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:33.046015024 CET	445	50291	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:33.046144962 CET	50291	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:33.046224117 CET	50291	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:33.046293974 CET	50291	445	192.168.2.9	192.130.61.1
Jan 14, 2025 21:12:33.050947905 CET	445	50291	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:33.051069975 CET	445	50291	192.130.61.1	192.168.2.9
Jan 14, 2025 21:12:33.102834940 CET	50362	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.108071089 CET	445	50362	192.130.61.2	192.168.2.9
Jan 14, 2025 21:12:33.108161926 CET	50362	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.108222008 CET	50362	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.108566999 CET	50363	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.113234997 CET	445	50362	192.130.61.2	192.168.2.9
Jan 14, 2025 21:12:33.113338947 CET	50362	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.113471031 CET	445	50363	192.130.61.2	192.168.2.9
Jan 14, 2025 21:12:33.113543987 CET	50363	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.113559961 CET	50363	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:33.118388891 CET	445	50363	192.130.61.2	192.168.2.9
Jan 14, 2025 21:12:33.868308067 CET	50366	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:33.873311996 CET	445	50366	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:33.873413086 CET	50366	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:33.873450041 CET	50366	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:33.878225088 CET	445	50366	187.16.168.1	192.168.2.9
Jan 14, 2025 21:12:34.874198914 CET	445	50296	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:34.874293089 CET	50296	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:34.874360085 CET	50296	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:34.874406099 CET	50296	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:34.879259109 CET	445	50296	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:34.879275084 CET	445	50296	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:35.032619953 CET	445	50297	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:35.032716990 CET	50297	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:35.032779932 CET	50297	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:35.032881021 CET	50297	445	192.168.2.9	14.83.224.1
Jan 14, 2025 21:12:35.037736893 CET	445	50297	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:35.037754059 CET	445	50297	14.83.224.1	192.168.2.9
Jan 14, 2025 21:12:35.087785006 CET	50375	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.092814922 CET	445	50375	14.83.224.2	192.168.2.9
Jan 14, 2025 21:12:35.093048096 CET	50375	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.093122005 CET	50375	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.093478918 CET	50376	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.098110914 CET	445	50375	14.83.224.2	192.168.2.9
Jan 14, 2025 21:12:35.098174095 CET	50375	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.098277092 CET	445	50376	14.83.224.2	192.168.2.9
Jan 14, 2025 21:12:35.098330975 CET	50376	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.098388910 CET	50376	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:35.103140116 CET	445	50376	14.83.224.2	192.168.2.9
Jan 14, 2025 21:12:35.899674892 CET	50383	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:35.904623032 CET	445	50383	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:35.909773111 CET	50383	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:35.911998987 CET	50383	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:35.916809082 CET	445	50383	189.79.98.1	192.168.2.9
Jan 14, 2025 21:12:36.810682058 CET	445	50300	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:36.810750961 CET	50300	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:36.810807943 CET	50300	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:36.810853004 CET	50300	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:36.815676928 CET	445	50300	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:36.815691948 CET	445	50300	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:37.112503052 CET	445	50301	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:37.112593889 CET	50301	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:37.112632036 CET	50301	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:37.112664938 CET	50301	445	192.168.2.9	1.153.139.1
Jan 14, 2025 21:12:37.117464066 CET	445	50301	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:37.117475986 CET	445	50301	1.153.139.1	192.168.2.9
Jan 14, 2025 21:12:37.165435076 CET	50395	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.170377016 CET	445	50395	1.153.139.2	192.168.2.9
Jan 14, 2025 21:12:37.170455933 CET	50395	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.170511007 CET	50395	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.170883894 CET	50396	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.175422907 CET	445	50395	1.153.139.2	192.168.2.9
Jan 14, 2025 21:12:37.175477028 CET	50395	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.175645113 CET	445	50396	1.153.139.2	192.168.2.9
Jan 14, 2025 21:12:37.175754070 CET	50396	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.175772905 CET	50396	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:37.180519104 CET	445	50396	1.153.139.2	192.168.2.9
Jan 14, 2025 21:12:37.884026051 CET	50407	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:37.889020920 CET	445	50407	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:37.889117956 CET	50407	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:37.889170885 CET	50407	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:37.893991947 CET	445	50407	159.61.241.1	192.168.2.9
Jan 14, 2025 21:12:38.481930017 CET	445	50304	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:38.484860897 CET	50304	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:38.546494961 CET	50304	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:38.546530008 CET	50304	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:38.551480055 CET	445	50304	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:38.551495075 CET	445	50304	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:39.093344927 CET	445	50305	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:39.093427896 CET	50305	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:39.098356009 CET	50305	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:39.098499060 CET	50305	445	192.168.2.9	11.220.125.1
Jan 14, 2025 21:12:39.103231907 CET	445	50305	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:39.103307962 CET	445	50305	11.220.125.1	192.168.2.9
Jan 14, 2025 21:12:39.149771929 CET	50431	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.155000925 CET	445	50431	11.220.125.2	192.168.2.9
Jan 14, 2025 21:12:39.155081034 CET	50431	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.155113935 CET	50431	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.155452967 CET	50432	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.160321951 CET	445	50432	11.220.125.2	192.168.2.9
Jan 14, 2025 21:12:39.160334110 CET	445	50431	11.220.125.2	192.168.2.9
Jan 14, 2025 21:12:39.160379887 CET	50432	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.160435915 CET	50432	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.160825014 CET	445	50431	11.220.125.2	192.168.2.9
Jan 14, 2025 21:12:39.160872936 CET	50431	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:39.165342093 CET	445	50432	11.220.125.2	192.168.2.9
Jan 14, 2025 21:12:39.821540117 CET	50447	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:39.826687098 CET	445	50447	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:39.829813004 CET	50447	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:39.829893112 CET	50447	445	192.168.2.9	7.224.74.1
Jan 14, 2025 21:12:39.834748983 CET	445	50447	7.224.74.1	192.168.2.9
Jan 14, 2025 21:12:40.169574022 CET	445	50308	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:40.169758081 CET	50308	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:40.169811010 CET	50308	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:40.169851065 CET	50308	445	192.168.2.9	199.34.37.1
Jan 14, 2025 21:12:40.174803972 CET	445	50308	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:40.174813986 CET	445	50308	199.34.37.1	192.168.2.9
Jan 14, 2025 21:12:41.107455015 CET	445	50309	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:41.107516050 CET	50309	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:41.107551098 CET	50309	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:41.107587099 CET	50309	445	192.168.2.9	126.147.175.1
Jan 14, 2025 21:12:41.112396002 CET	445	50309	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:41.112412930 CET	445	50309	126.147.175.1	192.168.2.9
Jan 14, 2025 21:12:41.165494919 CET	50486	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.170362949 CET	445	50486	126.147.175.2	192.168.2.9
Jan 14, 2025 21:12:41.170439959 CET	50486	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.170475006 CET	50486	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.170778990 CET	50487	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.175605059 CET	445	50487	126.147.175.2	192.168.2.9
Jan 14, 2025 21:12:41.175666094 CET	50487	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.175694942 CET	50487	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.176062107 CET	445	50486	126.147.175.2	192.168.2.9
Jan 14, 2025 21:12:41.176114082 CET	50486	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:41.180520058 CET	445	50487	126.147.175.2	192.168.2.9
Jan 14, 2025 21:12:41.557569981 CET	50506	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:41.562536955 CET	445	50506	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:41.565886021 CET	50506	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:41.565886021 CET	50506	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:41.570686102 CET	445	50506	73.53.142.1	192.168.2.9
Jan 14, 2025 21:12:41.689204931 CET	445	50312	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:41.689914942 CET	50312	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:41.689914942 CET	50312	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:41.689914942 CET	50312	445	192.168.2.9	165.95.110.1
Jan 14, 2025 21:12:41.694848061 CET	445	50312	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:41.694859028 CET	445	50312	165.95.110.1	192.168.2.9
Jan 14, 2025 21:12:43.138237000 CET	445	50316	195.147.126.1	192.168.2.9
Jan 14, 2025 21:12:43.138298988 CET	50316	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:43.139966965 CET	445	50314	168.102.177.1	192.168.2.9
Jan 14, 2025 21:12:43.140026093 CET	50314	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:44.334861994 CET	50344	445	192.168.2.9	189.221.206.2
Jan 14, 2025 21:12:44.334894896 CET	50335	445	192.168.2.9	180.146.240.2
Jan 14, 2025 21:12:44.334902048 CET	50356	445	192.168.2.9	153.157.148.2
Jan 14, 2025 21:12:44.334985018 CET	50325	445	192.168.2.9	174.249.30.2
Jan 14, 2025 21:12:44.335014105 CET	50314	445	192.168.2.9	168.102.177.1
Jan 14, 2025 21:12:44.335062027 CET	50316	445	192.168.2.9	195.147.126.1
Jan 14, 2025 21:12:44.335073948 CET	50319	445	192.168.2.9	221.101.136.1
Jan 14, 2025 21:12:44.335089922 CET	50320	445	192.168.2.9	58.51.75.1
Jan 14, 2025 21:12:44.335093975 CET	50323	445	192.168.2.9	165.79.21.1
Jan 14, 2025 21:12:44.335097075 CET	50396	445	192.168.2.9	1.153.139.2
Jan 14, 2025 21:12:44.335144997 CET	50329	445	192.168.2.9	160.141.203.1
Jan 14, 2025 21:12:44.335155964 CET	50330	445	192.168.2.9	2.65.247.1
Jan 14, 2025 21:12:44.335185051 CET	50338	445	192.168.2.9	206.89.121.1
Jan 14, 2025 21:12:44.335207939 CET	50333	445	192.168.2.9	126.233.201.1
Jan 14, 2025 21:12:44.335217953 CET	50339	445	192.168.2.9	83.144.215.1
Jan 14, 2025 21:12:44.335241079 CET	50342	445	192.168.2.9	33.196.217.1
Jan 14, 2025 21:12:44.335264921 CET	50347	445	192.168.2.9	104.136.62.1
Jan 14, 2025 21:12:44.335268021 CET	50348	445	192.168.2.9	145.91.202.1
Jan 14, 2025 21:12:44.335303068 CET	50354	445	192.168.2.9	126.247.214.1
Jan 14, 2025 21:12:44.335330009 CET	50351	445	192.168.2.9	182.119.252.1
Jan 14, 2025 21:12:44.335330009 CET	50366	445	192.168.2.9	187.16.168.1
Jan 14, 2025 21:12:44.335336924 CET	50358	445	192.168.2.9	183.48.5.1
Jan 14, 2025 21:12:44.335402966 CET	50376	445	192.168.2.9	14.83.224.2
Jan 14, 2025 21:12:44.335412979 CET	50363	445	192.168.2.9	192.130.61.2
Jan 14, 2025 21:12:44.335442066 CET	50407	445	192.168.2.9	159.61.241.1
Jan 14, 2025 21:12:44.335455894 CET	50383	445	192.168.2.9	189.79.98.1
Jan 14, 2025 21:12:44.335669041 CET	50487	445	192.168.2.9	126.147.175.2
Jan 14, 2025 21:12:44.335675955 CET	50506	445	192.168.2.9	73.53.142.1
Jan 14, 2025 21:12:44.335715055 CET	50432	445	192.168.2.9	11.220.125.2
Jan 14, 2025 21:12:44.335715055 CET	50447	445	192.168.2.9	7.224.74.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:11:35.762015104 CET	63423	53	192.168.2.9	1.1.1.1
Jan 14, 2025 21:11:36.064757109 CET	53	63423	1.1.1.1	192.168.2.9
Jan 14, 2025 21:11:36.695112944 CET	63122	53	192.168.2.9	1.1.1.1
Jan 14, 2025 21:11:37.180011034 CET	53	63122	1.1.1.1	192.168.2.9
Jan 14, 2025 21:12:23.990220070 CET	138	138	192.168.2.9	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 21:11:35.762015104 CET	192.168.2.9	1.1.1.1	0xe5b6	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:11:36.695112944 CET	192.168.2.9	1.1.1.1	0xfa5a	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 21:11:27.845957041 CET	1.1.1.1	192.168.2.9	0xad1c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 21:11:27.845957041 CET	1.1.1.1	192.168.2.9	0xad1c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:11:36.064757109 CET	1.1.1.1	192.168.2.9	0xe5b6	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:11:37.180011034 CET	1.1.1.1	192.168.2.9	0xfa5a	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 21:11:37.180011034 CET	1.1.1.1	192.168.2.9	0xfa5a	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49750	103.224.212.215	80	8088	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:11:36.076215029 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:11:36.688776016 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:11:36 GMT server: Apache set-cookie: __tad=1736885496.8445919; expires=Fri, 12-Jan-2035 20:11:36 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3621-b2b0-8d3080c051bd content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49759	199.59.243.228	80	8088	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:11:37.186114073 CET	169	OUT	GET /?subid1=20250115-0711-3621-b2b0-8d3080c051bd HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:11:37.679440975 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:11:36 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 7ae06bd6-da66-45e5-bf42-511b3c3bec92 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MKrMnas0g8ZA5GdybzzZvAUfZAldS3suexBuSZ16YpReZT1X2oscYtpFGoJz5TFcvTSoEynLhBfXNFLCOd1gmw== set-cookie: parking_session=7ae06bd6-da66-45e5-bf42-511b3c3bec92; expires=Tue, 14 Jan 2025 20:26:37 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 4b 72 4d 6e 61 73 30 67 38 5a 41 35 47 64 79 62 7a 7a 5a 76 41 55 66 5a 41 6c 64 53 33 73 75 65 78 42 75 53 5a 31 36 59 70 52 65 5a 54 31 58 32 6f 73 63 59 74 70 46 47 6f 4a 7a 35 54 46 63 76 54 53 6f 45 79 6e 4c 68 42 66 58 4e 46 4c 43 4f 64 31 67 6d 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MKrMnas0g8ZA5GdybzzZvAUfZAldS3suexBuSZ16YpReZT1X2oscYtpFGoJz5TFcvTSoEynLhBfXNFLCOd1gmw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:11:37.679467916 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2FlMDZiZDYtZGE2Ni00NWU1LWJmNDItNTExYjNjM2JlYzkyIiwicGFnZV90aW1lIjoxNzM2ODg1NDk3LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49763	103.224.212.215	80	7188	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:11:37.975275040 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:11:38.632237911 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:11:38 GMT server: Apache set-cookie: __tad=1736885498.7256743; expires=Fri, 12-Jan-2035 20:11:38 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-38c6-8000-741dcdd985dd content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49767	103.224.212.215	80	7336	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:11:38.190596104 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736885496.8445919
Jan 14, 2025 21:11:38.798507929 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:11:38 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0711-3814-92f5-579ab78879f0 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49770	199.59.243.228	80	7188	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:11:38.705323935 CET	169	OUT	GET /?subid1=20250115-0711-38c6-8000-741dcdd985dd HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:11:39.162502050 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:11:38 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 54d6e5ac-c37a-4ba4-8d98-523c5bc64601 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lZ1Aj3Iy9aL3pPYvx7odEv7ta9C4tPhdNDMLID0nY5SPUIq5bhFYvjN4RRVy4+6dgu5zkj0X4yhTEr1BH/AelA== set-cookie: parking_session=54d6e5ac-c37a-4ba4-8d98-523c5bc64601; expires=Tue, 14 Jan 2025 20:26:39 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6c 5a 31 41 6a 33 49 79 39 61 4c 33 70 50 59 76 78 37 6f 64 45 76 37 74 61 39 43 34 74 50 68 64 4e 44 4d 4c 49 44 30 6e 59 35 53 50 55 49 71 35 62 68 46 59 76 6a 4e 34 52 52 56 79 34 2b 36 64 67 75 35 7a 6b 6a 30 58 34 79 68 54 45 72 31 42 48 2f 41 65 6c 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lZ1Aj3Iy9aL3pPYvx7odEv7ta9C4tPhdNDMLID0nY5SPUIq5bhFYvjN4RRVy4+6dgu5zkj0X4yhTEr1BH/AelA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:11:39.162554979 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTRkNmU1YWMtYzM3YS00YmE0LThkOTgtNTIzYzViYzY0NjAxIiwicGFnZV90aW1lIjoxNzM2ODg1NDk5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49772	199.59.243.228	80	7336	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:11:38.828464031 CET	231	OUT	GET /?subid1=20250115-0711-3814-92f5-579ab78879f0 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=7ae06bd6-da66-45e5-bf42-511b3c3bec92
Jan 14, 2025 21:11:39.310545921 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:11:38 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 925a4af2-bb33-4d40-8598-7e33e5a107bb cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kjMADF7xFci5Vj/Ka3PYtPV5GqsRg6D1CLET6prSRUS/wA7EuvHOPNwIZSPNg0eRwuQwk0yGdszQlRWqG5ASqQ== set-cookie: parking_session=7ae06bd6-da66-45e5-bf42-511b3c3bec92; expires=Tue, 14 Jan 2025 20:26:39 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 6a 4d 41 44 46 37 78 46 63 69 35 56 6a 2f 4b 61 33 50 59 74 50 56 35 47 71 73 52 67 36 44 31 43 4c 45 54 36 70 72 53 52 55 53 2f 77 41 37 45 75 76 48 4f 50 4e 77 49 5a 53 50 4e 67 30 65 52 77 75 51 77 6b 30 79 47 64 73 7a 51 6c 52 57 71 47 35 41 53 71 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kjMADF7xFci5Vj/Ka3PYtPV5GqsRg6D1CLET6prSRUS/wA7EuvHOPNwIZSPNg0eRwuQwk0yGdszQlRWqG5ASqQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 21:11:39.310574055 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2FlMDZiZDYtZGE2Ni00NWU1LWJmNDItNTExYjNjM2JlYzkyIiwicGFnZV90aW1lIjoxNzM2ODg1NDk5LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	15:11:33
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll"
Imagebase:	0xad0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:11:33
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:11:33
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:11:33
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\eIZi481eP6.dll,PlayGame
Imagebase:	0x920000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:11:33
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",#1
Imagebase:	0x920000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:11:33
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E5CFF35706AB7BDAFA5F00F6FAD7058D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1374758568.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1374634946.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvr.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:11:36
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E5CFF35706AB7BDAFA5F00F6FAD7058D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1400887390.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1401014694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2053697443.0000000002280000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2053408103.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:11:36
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\eIZi481eP6.dll",PlayGame
Imagebase:	0x920000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:11:36
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E5CFF35706AB7BDAFA5F00F6FAD7058D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1417194747.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.1417356799.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1403754476.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.1403921673.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
WriteFile, xrefs: 00407D1C
C:\%s\%s, xrefs: 00407DFB
CreateProcessA, xrefs: 00407D07
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000006.00000002.1416155723.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1416138183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416179744.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416253807.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1416155723.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1416138183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416179744.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416253807.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1416155723.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1416138183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416179744.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416253807.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.1416155723.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1416138183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416179744.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416253807.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1416155723.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1416138183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416179744.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416196802.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416253807.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1416348768.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7188, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2052486731.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2052471310.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052505409.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052587749.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052608493.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2052486731.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2052471310.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052505409.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052587749.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052608493.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000008.00000002.2052486731.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2052471310.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052505409.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052587749.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052608493.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
WriteFile, xrefs: 00407D1C
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000008.00000002.2052486731.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2052471310.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052505409.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052587749.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052608493.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2052486731.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2052471310.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052505409.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052523055.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052570088.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052587749.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052608493.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.000000000084D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2052693488.00000000008C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eIZi481eP6.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\mssecsvr.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
eIZi481eP6.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON