Edit tour

Windows Analysis Report
F1G5BkUV74.dll

Overview

General Information

Sample name:	F1G5BkUV74.dll renamed because original name is a hash value
Original sample name:	bdcaf7ef34cd9b02932e5ee2297e4893.dll
Analysis ID:	1591377
MD5:	bdcaf7ef34cd9b02932e5ee2297e4893
SHA1:	0a29bcc5c829e276d06ea92919de2740b938691c
SHA256:	8d0c9d2e438f33dd7806ed8017baa1f114b6157f9f0eb1fb5d3b59351609120c
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4288 cmdline: loaddll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2520 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 428 cmdline: rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1492 cmdline: rundll32.exe C:\Users\user\Desktop\F1G5BkUV74.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 1856 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B6FB8BD123BD0C46CC1A17A2775569B5)

rundll32.exe (PID: 6004 cmdline: rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 4308 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B6FB8BD123BD0C46CC1A17A2775569B5)

mssecsvr.exe (PID: 6448 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: B6FB8BD123BD0C46CC1A17A2775569B5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
F1G5BkUV74.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
F1G5BkUV74.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
F1G5BkUV74.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2180600297.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2166423022.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2138325687.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2159921750.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 1856	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 6448	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 4308	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvr.exe.1d52084.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.227a8c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22ac96c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.22ac96c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
9.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
9.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
9.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.22ac96c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22ac96c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.22ac96c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d84128.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.1d84128.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
9.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.2289948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.2289948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.2289948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.2289948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.227a8c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227a8c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.227a8c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d84128.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d84128.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.1d84128.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d61104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d61104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d61104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d61104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d52084.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d52084.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d52084.4.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d61104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d61104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d61104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.22858e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22858e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.22858e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d5d0a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d5d0a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d5d0a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.2289948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.2289948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.2289948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:01:14.297678+0100	2803304	3	Unknown Traffic	192.168.2.5	49705	103.224.212.215	80	TCP
2025-01-14T23:01:16.150079+0100	2803304	3	Unknown Traffic	192.168.2.5	49707	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:01:13.372632+0100	2830018	1	A Network Trojan was detected	192.168.2.5	57619	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: F1G5BkUV74.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c751956	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d38	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c7519	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 93%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Source: F1G5BkUV74.dll	ReversingLabs: Detection: 95%
Source: F1G5BkUV74.dll	Virustotal: Detection: 94%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F1G5BkUV74.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: F1G5BkUV74.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.5:57619 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-14d8-ae64-02e71c751956 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736892074.7770901
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-1690-be53-cf6353b68d38 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=4d94cd22-7172-4f4b-ac4b-b562938e91cd

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49707 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.241
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.241
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.241
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.241
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.26
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.26
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.26
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.26
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 131.73.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.3
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.3
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.3
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.3
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 200.56.125.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 66.125.28.1
Source: unknown	TCP traffic detected without corresponding DNS query: 33.35.197.143
Source: unknown	TCP traffic detected without corresponding DNS query: 33.35.197.143
Source: unknown	TCP traffic detected without corresponding DNS query: 33.35.197.143
Source: unknown	TCP traffic detected without corresponding DNS query: 33.35.197.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-14d8-ae64-02e71c751956 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736892074.7770901
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-1690-be53-cf6353b68d38 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=4d94cd22-7172-4f4b-ac4b-b562938e91cd

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2173964815.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.J
Source: mssecsvr.exe, 00000009.00000002.2181275344.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvr.exe, 00000006.00000002.2173964815.000000000099E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c7519
Source: mssecsvr.exe, 00000007.00000002.2810897933.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f
Source: mssecsvr.exe, 00000009.00000002.2181275344.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000003.2179176871.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d
Source: mssecsvr.exe, 00000007.00000002.2810897933.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9igh
Source: F1G5BkUV74.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2173964815.000000000095E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2173964815.000000000099E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2810897933.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2181275344.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2181275344.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2181275344.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000007.00000002.2810897933.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/i
Source: mssecsvr.exe, 00000006.00000002.2173964815.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/m
Source: mssecsvr.exe, 00000006.00000002.2173964815.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com1
Source: mssecsvr.exe, 00000007.00000002.2810089396.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: F1G5BkUV74.dll, type: SAMPLE
Source: Yara match	File source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.22ac96c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227a8c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d52084.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d61104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.22858e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.2289948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2180600297.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2166423022.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2138325687.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2159921750.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 1856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 4308, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: F1G5BkUV74.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: F1G5BkUV74.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d52084.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227a8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22ac96c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22ac96c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22ac96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22ac96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.227a8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227a8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d61104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d61104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22858e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22858e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.2289948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.2289948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: tasksche.exe.6.dr

Static PE information: No import functions for PE file found

Source: F1G5BkUV74.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: F1G5BkUV74.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: F1G5BkUV74.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d52084.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227a8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22ac96c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22ac96c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22ac96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22ac96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.2289948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.227a8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227a8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d61104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d61104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22858e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22858e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.2289948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.2289948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: F1G5BkUV74.dll, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		7_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_03

Source: F1G5BkUV74.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F1G5BkUV74.dll,PlayGame

Source: F1G5BkUV74.dll	ReversingLabs: Detection: 95%
Source: F1G5BkUV74.dll	Virustotal: Detection: 94%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F1G5BkUV74.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F1G5BkUV74.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: F1G5BkUV74.dll

Static file information: File size 5267459 > 1048576

Source: F1G5BkUV74.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.64063717569669

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 1088	Thread sleep count: 94 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1088	Thread sleep time: -188000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 4196	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 4196	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1088	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000009.00000002.2181275344.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp+
Source: mssecsvr.exe, 00000006.00000002.2173964815.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn*
Source: mssecsvr.exe, 00000006.00000002.2173964815.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(W
Source: mssecsvr.exe, 00000006.00000002.2173964815.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2810897933.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2810897933.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2181275344.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F1G5BkUV74.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
F1G5BkUV74.dll	94%	Virustotal		Browse
F1G5BkUV74.dll	100%	Avira	TR/AD.WannaCry.zlvlj
F1G5BkUV74.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com1	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c751956	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9igh	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d38	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c7519	100%	Avira URL Cloud	malware
http://ww25.J	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c751956	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d38	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/m	mssecsvr.exe, 00000006.00000002.2173964815.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d	mssecsvr.exe, 00000009.00000002.2181275344.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000003.2179176871.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/i	mssecsvr.exe, 00000007.00000002.2810897933.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	F1G5BkUV74.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f	mssecsvr.exe, 00000007.00000002.2810897933.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com1	mssecsvr.exe, 00000006.00000002.2173964815.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c7519	mssecsvr.exe, 00000006.00000002.2173964815.000000000099E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000007.00000002.2810089396.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://ww25.J	mssecsvr.exe, 00000006.00000002.2173964815.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	mssecsvr.exe, 00000009.00000002.2181275344.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9igh	mssecsvr.exe, 00000007.00000002.2810897933.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
33.175.236.1	unknown	United States	2686	ATGS-MMD-ASUS	false
165.165.9.166	unknown	South Africa	5713	SAIX-NETZA	false
96.221.78.1	unknown	United States	7922	COMCAST-7922US	false
96.221.78.64	unknown	United States	7922	COMCAST-7922US	false
31.38.176.245	unknown	France	5410	BOUYGTEL-ISPFR	false
175.107.76.1	unknown	Korea Republic of	9765	VTOPIA-AS-KRVTOPIAKR	false
31.38.176.1	unknown	France	5410	BOUYGTEL-ISPFR	false
155.32.24.1	unknown	New Zealand	24324	KORDIA-TRANSIT-AS-APKordiaLimitedNZ	false
33.131.241.1	unknown	United States	2686	ATGS-MMD-ASUS	false
210.238.136.228	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
178.11.135.1	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
178.11.135.2	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
106.52.131.1	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
33.175.236.126	unknown	United States	2686	ATGS-MMD-ASUS	false
27.239.87.188	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
135.45.113.1	unknown	United States	54614	CIKTELECOM-CABLECA	false
206.38.36.217	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
66.125.28.241	unknown	United States	7132	SBIS-ASUS	false
206.38.36.1	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
170.188.75.1	unknown	United States	47090	SCLHS-47090US	false
178.11.135.196	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
135.45.113.250	unknown	United States	54614	CIKTELECOM-CABLECA	false
155.32.24.154	unknown	New Zealand	24324	KORDIA-TRANSIT-AS-APKordiaLimitedNZ	false
131.73.187.2	unknown	United States	28075	ARLINKSAAR	false
131.73.187.1	unknown	United States	28075	ARLINKSAAR	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591377
Start date and time:	2025-01-14 23:00:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F1G5BkUV74.dll renamed because original name is a hash value
Original Sample Name:	bdcaf7ef34cd9b02932e5ee2297e4893.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.23.77.188, 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:01:15	API Interceptor	1x Sleep call for process: loaddll32.exe modified
17:01:50	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SAIX-NETZA	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	102.252.16.166
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	102.252.75.222
	meth10.elf	Get hash	malicious	Mirai	Browse	41.198.64.136
	meth2.elf	Get hash	malicious	Mirai	Browse	41.146.97.251
	meth15.elf	Get hash	malicious	Mirai	Browse	41.149.215.18
	elitebotnet.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	102.248.204.132
	3.elf	Get hash	malicious	Unknown	Browse	41.246.80.204
	4.elf	Get hash	malicious	Unknown	Browse	41.149.186.133
	5.elf	Get hash	malicious	Unknown	Browse	41.151.3.237
	3.elf	Get hash	malicious	Unknown	Browse	41.145.255.153
COMCAST-7922US	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	75.65.143.1
	YZJG8NuHEP.dll	Get hash	malicious	Wannacry	Browse	29.248.211.36
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	26.28.204.104
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	26.34.166.1
	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse	73.80.3.78
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	28.125.169.1
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	73.191.198.1
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	26.20.34.202
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	75.149.106.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	68.43.54.12
ATGS-MMD-ASUS	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	56.59.202.1
	YZJG8NuHEP.dll	Get hash	malicious	Wannacry	Browse	51.209.245.1
	http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664	Get hash	malicious	Phisher	Browse	34.149.158.220
	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	34.1.98.1
	FjSrGs0AE2.dll	Get hash	malicious	Wannacry	Browse	51.243.90.42
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	34.177.88.1
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	48.82.13.223
	jpXNd6Kt8z.dll	Get hash	malicious	Wannacry	Browse	33.222.99.200
	527.zip	Get hash	malicious	Unknown	Browse	34.160.144.191
	527.zip	Get hash	malicious	Unknown	Browse	34.160.144.191

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	5.811132078708732
Encrypted:	false
SSDEEP:	24576:tihdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz66:9MSPbcBVQej/1INR
MD5:	B64550EA55F2ED6EE168FF79C40B56F8
SHA1:	41D6BD8747FFFA273065C3D5656A36F197718BB9
SHA-256:	DC25DFEB633EB5112BCDF1336088EE8D67EE81F6129BF9AB77287B13CE13BE32
SHA-512:	D2C34AC6056240F699174EBB6DCA7B1ABF98785E240AE1A6421026091ED08D6CC1CF0560E41A1A04F0E1F29C17E925956E840A38FCF64C4610A6DE84D49D22A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	5.811132078708732
Encrypted:	false
SSDEEP:	24576:tihdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz66:9MSPbcBVQej/1INR
MD5:	B64550EA55F2ED6EE168FF79C40B56F8
SHA1:	41D6BD8747FFFA273065C3D5656A36F197718BB9
SHA-256:	DC25DFEB633EB5112BCDF1336088EE8D67EE81F6129BF9AB77287B13CE13BE32
SHA-512:	D2C34AC6056240F699174EBB6DCA7B1ABF98785E240AE1A6421026091ED08D6CC1CF0560E41A1A04F0E1F29C17E925956E840A38FCF64C4610A6DE84D49D22A8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.95934659514823
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	F1G5BkUV74.dll
File size:	5'267'459 bytes
MD5:	bdcaf7ef34cd9b02932e5ee2297e4893
SHA1:	0a29bcc5c829e276d06ea92919de2740b938691c
SHA256:	8d0c9d2e438f33dd7806ed8017baa1f114b6157f9f0eb1fb5d3b59351609120c
SHA512:	8c0fbf6444aee59f47ab4f6f9c0f0182db3c332c35725a32757055bdc522ef8e192f7ca2fbe7fe080c3a12090030e58bdce179fe0c2b2d0eeaa387c7c5aba81d
SSDEEP:	24576:RbLgurihdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz66:RnnMSPbcBVQej/1INR
TLSH:	273623DA35AC91FCD206367194778E22E6F73C6D31B9AA0F9B804A311C03B95BB54F52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F0D50E8D34Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F0D50E8D368h
cmp esi, 01h
je 00007F0D50E8D347h
cmp esi, 02h
jne 00007F0D50E8D364h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F0D50E8D34Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F0D50E8D34Eh
push edi
push esi
push ebx
call 00007F0D50E8D25Ah
test eax, eax
jne 00007F0D50E8D346h
xor eax, eax
jmp 00007F0D50E8D390h
push edi
push esi
push ebx
call 00007F0D50E8D10Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F0D50E8D34Eh
test eax, eax
jne 00007F0D50E8D379h
push edi
push eax
push ebx
call 00007F0D50E8D236h
test esi, esi
je 00007F0D50E8D347h
cmp esi, 03h
jne 00007F0D50E8D368h
push edi
push esi
push ebx
call 00007F0D50E8D225h
test eax, eax
jne 00007F0D50E8D345h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F0D50E8D353h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F0D50E8D34Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	c8d4f37730504a4c996658dc08ba80ae	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8791799545288086

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T23:01:13.372632+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.5	57619	1.1.1.1	53	UDP
2025-01-14T23:01:14.297678+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49705	103.224.212.215	80	TCP
2025-01-14T23:01:16.150079+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49707	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:01:08.588259935 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:08.588356972 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:08.713319063 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:13.681046009 CET	49705	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:13.685864925 CET	80	49705	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:13.686577082 CET	49705	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:13.686799049 CET	49705	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:13.691556931 CET	80	49705	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:14.297621012 CET	80	49705	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:14.297677994 CET	49705	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:14.297697067 CET	80	49705	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:14.297744036 CET	49705	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:14.301779032 CET	49705	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:14.306664944 CET	80	49705	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:14.688163996 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:14.692964077 CET	80	49706	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:14.693063974 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:14.693592072 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:14.698342085 CET	80	49706	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:15.147213936 CET	80	49706	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:15.147239923 CET	80	49706	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:15.147322893 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:15.147357941 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:15.244940042 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:15.244976997 CET	49706	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:15.553031921 CET	49707	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:15.557960033 CET	80	49707	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:15.558047056 CET	49707	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:15.565308094 CET	49707	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:15.570069075 CET	80	49707	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.150002003 CET	80	49707	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.150019884 CET	80	49707	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.150079012 CET	49707	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.160332918 CET	49707	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.160367012 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.161606073 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.165219069 CET	80	49707	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.165241957 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.165358067 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.165612936 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.166467905 CET	80	49709	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:16.166579962 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.166739941 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.170408010 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.171578884 CET	80	49709	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:16.636703968 CET	80	49709	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:16.636728048 CET	80	49709	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:16.636766911 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.636795998 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.644057035 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.644088030 CET	49709	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.699904919 CET	49710	445	192.168.2.5	210.238.136.228
Jan 14, 2025 23:01:16.705384970 CET	445	49710	210.238.136.228	192.168.2.5
Jan 14, 2025 23:01:16.705477953 CET	49710	445	192.168.2.5	210.238.136.228
Jan 14, 2025 23:01:16.705543995 CET	49710	445	192.168.2.5	210.238.136.228
Jan 14, 2025 23:01:16.705734968 CET	49711	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.711816072 CET	445	49710	210.238.136.228	192.168.2.5
Jan 14, 2025 23:01:16.711848974 CET	445	49711	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:16.711872101 CET	49710	445	192.168.2.5	210.238.136.228
Jan 14, 2025 23:01:16.711925983 CET	49711	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.712490082 CET	49711	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.717299938 CET	445	49711	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:16.717350960 CET	49711	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.721775055 CET	49712	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.726613998 CET	445	49712	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:16.726706028 CET	49712	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.726802111 CET	49712	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:16.731587887 CET	445	49712	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:16.813292980 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.813407898 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.813519955 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.813646078 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.818938971 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:01:16.820885897 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.824028969 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:01:16.825824976 CET	80	49716	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:16.825891972 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.826224089 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:16.831026077 CET	80	49716	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:17.306843042 CET	80	49716	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:17.306930065 CET	80	49716	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:17.306931019 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:17.306976080 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:17.314990044 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:17.315088987 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:17.320075989 CET	80	49716	199.59.243.228	192.168.2.5
Jan 14, 2025 23:01:17.320162058 CET	49716	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:01:18.197885036 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:18.197999001 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:18.322933912 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:18.683810949 CET	49736	445	192.168.2.5	66.125.28.241
Jan 14, 2025 23:01:18.688671112 CET	445	49736	66.125.28.241	192.168.2.5
Jan 14, 2025 23:01:18.688859940 CET	49736	445	192.168.2.5	66.125.28.241
Jan 14, 2025 23:01:18.688859940 CET	49736	445	192.168.2.5	66.125.28.241
Jan 14, 2025 23:01:18.688994884 CET	49737	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.696424961 CET	445	49737	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:18.696532011 CET	445	49736	66.125.28.241	192.168.2.5
Jan 14, 2025 23:01:18.696568966 CET	49737	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.696609974 CET	49736	445	192.168.2.5	66.125.28.241
Jan 14, 2025 23:01:18.696772099 CET	49737	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.698359966 CET	49738	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.701776981 CET	445	49737	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:18.702006102 CET	49737	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.703121901 CET	445	49738	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:18.703196049 CET	49738	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.703288078 CET	49738	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:18.710486889 CET	445	49738	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:20.056835890 CET	443	49703	23.1.237.91	192.168.2.5
Jan 14, 2025 23:01:20.056952000 CET	49703	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:01:20.487293959 CET	445	49738	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:20.487529993 CET	49738	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:20.500900984 CET	49738	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:20.500994921 CET	49738	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:20.505726099 CET	445	49738	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:20.505788088 CET	445	49738	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:21.823281050 CET	49779	445	192.168.2.5	131.73.187.26
Jan 14, 2025 23:01:21.828083038 CET	445	49779	131.73.187.26	192.168.2.5
Jan 14, 2025 23:01:21.828165054 CET	49779	445	192.168.2.5	131.73.187.26
Jan 14, 2025 23:01:21.834872007 CET	49779	445	192.168.2.5	131.73.187.26
Jan 14, 2025 23:01:21.835161924 CET	49780	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.839741945 CET	445	49779	131.73.187.26	192.168.2.5
Jan 14, 2025 23:01:21.839802980 CET	49779	445	192.168.2.5	131.73.187.26
Jan 14, 2025 23:01:21.839993954 CET	445	49780	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:21.840122938 CET	49780	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.840122938 CET	49780	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.841134071 CET	49781	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.845104933 CET	445	49780	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:21.845165014 CET	49780	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.845911026 CET	445	49781	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:21.845985889 CET	49781	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.846024036 CET	49781	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:21.850740910 CET	445	49781	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:22.715117931 CET	49796	445	192.168.2.5	200.56.125.3
Jan 14, 2025 23:01:22.720042944 CET	445	49796	200.56.125.3	192.168.2.5
Jan 14, 2025 23:01:22.720132113 CET	49796	445	192.168.2.5	200.56.125.3
Jan 14, 2025 23:01:22.720175982 CET	49796	445	192.168.2.5	200.56.125.3
Jan 14, 2025 23:01:22.720458031 CET	49797	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.725712061 CET	445	49796	200.56.125.3	192.168.2.5
Jan 14, 2025 23:01:22.725744963 CET	445	49797	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:22.725794077 CET	49796	445	192.168.2.5	200.56.125.3
Jan 14, 2025 23:01:22.725851059 CET	49797	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.725902081 CET	49797	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.727055073 CET	49798	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.733071089 CET	445	49797	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:22.733103991 CET	445	49798	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:22.733129025 CET	49797	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.733179092 CET	49798	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.733321905 CET	49798	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:22.738172054 CET	445	49798	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:23.528922081 CET	49810	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:23.533881903 CET	445	49810	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:23.533987999 CET	49810	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:23.534868002 CET	49810	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:23.539663076 CET	445	49810	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:24.731405973 CET	49828	445	192.168.2.5	33.35.197.143
Jan 14, 2025 23:01:24.736603022 CET	445	49828	33.35.197.143	192.168.2.5
Jan 14, 2025 23:01:24.736840963 CET	49828	445	192.168.2.5	33.35.197.143
Jan 14, 2025 23:01:24.737003088 CET	49828	445	192.168.2.5	33.35.197.143
Jan 14, 2025 23:01:24.737353086 CET	49829	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.741842031 CET	445	49828	33.35.197.143	192.168.2.5
Jan 14, 2025 23:01:24.741919041 CET	49828	445	192.168.2.5	33.35.197.143
Jan 14, 2025 23:01:24.742261887 CET	445	49829	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:24.742371082 CET	49829	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.742461920 CET	49829	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.743416071 CET	49830	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.747407913 CET	445	49829	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:24.747514009 CET	49829	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.748218060 CET	445	49830	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:24.748300076 CET	49830	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.748354912 CET	49830	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:24.753313065 CET	445	49830	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:25.167449951 CET	445	49810	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:25.167561054 CET	49810	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:25.167654991 CET	49810	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:25.167655945 CET	49810	445	192.168.2.5	66.125.28.1
Jan 14, 2025 23:01:25.172476053 CET	445	49810	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:25.172491074 CET	445	49810	66.125.28.1	192.168.2.5
Jan 14, 2025 23:01:25.229738951 CET	49842	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.234630108 CET	445	49842	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:25.236973047 CET	49842	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.237056017 CET	49842	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.238234043 CET	49844	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.242000103 CET	445	49842	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:25.242085934 CET	49842	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.243128061 CET	445	49844	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:25.243216038 CET	49844	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.243258953 CET	49844	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:25.247982025 CET	445	49844	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:26.746562958 CET	49870	445	192.168.2.5	197.4.5.170
Jan 14, 2025 23:01:26.751430988 CET	445	49870	197.4.5.170	192.168.2.5
Jan 14, 2025 23:01:26.751514912 CET	49870	445	192.168.2.5	197.4.5.170
Jan 14, 2025 23:01:26.751569986 CET	49870	445	192.168.2.5	197.4.5.170
Jan 14, 2025 23:01:26.751837969 CET	49871	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.756434917 CET	445	49870	197.4.5.170	192.168.2.5
Jan 14, 2025 23:01:26.756498098 CET	49870	445	192.168.2.5	197.4.5.170
Jan 14, 2025 23:01:26.756702900 CET	445	49871	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:26.756778955 CET	49871	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.756860018 CET	49871	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.758172989 CET	49872	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.761785030 CET	445	49871	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:26.761859894 CET	49871	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.763078928 CET	445	49872	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:26.763153076 CET	49872	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.763253927 CET	49872	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:26.768007040 CET	445	49872	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:28.804555893 CET	49907	445	192.168.2.5	192.75.238.7
Jan 14, 2025 23:01:28.809381962 CET	445	49907	192.75.238.7	192.168.2.5
Jan 14, 2025 23:01:28.809830904 CET	49907	445	192.168.2.5	192.75.238.7
Jan 14, 2025 23:01:28.809887886 CET	49907	445	192.168.2.5	192.75.238.7
Jan 14, 2025 23:01:28.810034037 CET	49909	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.814908028 CET	445	49909	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:28.815015078 CET	445	49907	192.75.238.7	192.168.2.5
Jan 14, 2025 23:01:28.815095901 CET	49907	445	192.168.2.5	192.75.238.7
Jan 14, 2025 23:01:28.815625906 CET	49909	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.865355968 CET	49909	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.870420933 CET	445	49909	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:28.870569944 CET	49909	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.871726036 CET	49913	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.876560926 CET	445	49913	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:28.876641035 CET	49913	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.876709938 CET	49913	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:28.881453991 CET	445	49913	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:29.101213932 CET	445	49872	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:29.101270914 CET	49872	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:29.104119062 CET	49872	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:29.104171038 CET	49872	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:29.108958960 CET	445	49872	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:29.108968973 CET	445	49872	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:30.792644978 CET	49946	445	192.168.2.5	45.211.236.5
Jan 14, 2025 23:01:30.797492027 CET	445	49946	45.211.236.5	192.168.2.5
Jan 14, 2025 23:01:30.797604084 CET	49946	445	192.168.2.5	45.211.236.5
Jan 14, 2025 23:01:30.797636986 CET	49946	445	192.168.2.5	45.211.236.5
Jan 14, 2025 23:01:30.797748089 CET	49947	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.802479029 CET	445	49947	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:30.802530050 CET	49947	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.802582979 CET	49947	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.802817106 CET	49948	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.804136038 CET	445	49946	45.211.236.5	192.168.2.5
Jan 14, 2025 23:01:30.804316998 CET	49946	445	192.168.2.5	45.211.236.5
Jan 14, 2025 23:01:30.807585955 CET	445	49948	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:30.807707071 CET	49948	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.807725906 CET	445	49947	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:30.807773113 CET	49947	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.807921886 CET	49948	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:30.812690973 CET	445	49948	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:32.105052948 CET	49970	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:32.109911919 CET	445	49970	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:32.110043049 CET	49970	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:32.110043049 CET	49970	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:32.114824057 CET	445	49970	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:32.808769941 CET	49982	445	192.168.2.5	178.11.135.196
Jan 14, 2025 23:01:32.813534975 CET	445	49982	178.11.135.196	192.168.2.5
Jan 14, 2025 23:01:32.813600063 CET	49982	445	192.168.2.5	178.11.135.196
Jan 14, 2025 23:01:32.813651085 CET	49982	445	192.168.2.5	178.11.135.196
Jan 14, 2025 23:01:32.813741922 CET	49983	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.818458080 CET	445	49983	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:32.818522930 CET	49983	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.818547010 CET	49983	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.818792105 CET	49984	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.819356918 CET	445	49982	178.11.135.196	192.168.2.5
Jan 14, 2025 23:01:32.819451094 CET	49982	445	192.168.2.5	178.11.135.196
Jan 14, 2025 23:01:32.823513985 CET	445	49984	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:32.823587894 CET	49984	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.823587894 CET	49984	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.823781013 CET	445	49983	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:32.823832035 CET	49983	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:32.828860998 CET	445	49984	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:34.025023937 CET	445	49970	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:34.025106907 CET	49970	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:34.025186062 CET	49970	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:34.025258064 CET	49970	445	192.168.2.5	197.4.5.1
Jan 14, 2025 23:01:34.029989004 CET	445	49970	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:34.030033112 CET	445	49970	197.4.5.1	192.168.2.5
Jan 14, 2025 23:01:34.089616060 CET	50009	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.094383001 CET	445	50009	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:34.094491005 CET	50009	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.094531059 CET	50009	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.094769001 CET	50010	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.099431992 CET	445	50009	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:34.099487066 CET	50009	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.099550962 CET	445	50010	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:34.099606991 CET	50010	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.099637985 CET	50010	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:34.104373932 CET	445	50010	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:34.824256897 CET	50021	445	192.168.2.5	55.86.227.130
Jan 14, 2025 23:01:34.829118967 CET	445	50021	55.86.227.130	192.168.2.5
Jan 14, 2025 23:01:34.829184055 CET	50021	445	192.168.2.5	55.86.227.130
Jan 14, 2025 23:01:34.829256058 CET	50021	445	192.168.2.5	55.86.227.130
Jan 14, 2025 23:01:34.829478025 CET	50022	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.834398031 CET	445	50022	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:34.834465027 CET	445	50021	55.86.227.130	192.168.2.5
Jan 14, 2025 23:01:34.834471941 CET	50022	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.834523916 CET	50022	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.834590912 CET	50021	445	192.168.2.5	55.86.227.130
Jan 14, 2025 23:01:34.835083961 CET	50023	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.839560986 CET	445	50022	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:34.839623928 CET	50022	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.839943886 CET	445	50023	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:34.840006113 CET	50023	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.840039968 CET	50023	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:34.844877958 CET	445	50023	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:35.887275934 CET	445	50010	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:35.887361050 CET	50010	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:35.887413025 CET	50010	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:35.887413025 CET	50010	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:35.892225981 CET	445	50010	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:35.892235041 CET	445	50010	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:36.840010881 CET	50055	445	192.168.2.5	33.131.241.70
Jan 14, 2025 23:01:36.844801903 CET	445	50055	33.131.241.70	192.168.2.5
Jan 14, 2025 23:01:36.844872952 CET	50055	445	192.168.2.5	33.131.241.70
Jan 14, 2025 23:01:36.844873905 CET	50055	445	192.168.2.5	33.131.241.70
Jan 14, 2025 23:01:36.844988108 CET	50057	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.849771976 CET	445	50057	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:36.849847078 CET	50057	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.849858999 CET	50057	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.849863052 CET	445	50055	33.131.241.70	192.168.2.5
Jan 14, 2025 23:01:36.849910021 CET	50055	445	192.168.2.5	33.131.241.70
Jan 14, 2025 23:01:36.850097895 CET	50058	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.854757071 CET	445	50057	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:36.854814053 CET	445	50058	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:36.854931116 CET	50057	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.854973078 CET	50058	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.855021000 CET	50058	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:36.859786034 CET	445	50058	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:38.108531952 CET	445	49712	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:38.108649015 CET	49712	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:38.108649015 CET	49712	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:38.108810902 CET	49712	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:38.113507032 CET	445	49712	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:38.113557100 CET	445	49712	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:38.855197906 CET	50094	445	192.168.2.5	14.88.215.89
Jan 14, 2025 23:01:38.861047029 CET	445	50094	14.88.215.89	192.168.2.5
Jan 14, 2025 23:01:38.863451004 CET	50094	445	192.168.2.5	14.88.215.89
Jan 14, 2025 23:01:38.863451004 CET	50094	445	192.168.2.5	14.88.215.89
Jan 14, 2025 23:01:38.863626003 CET	50095	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.868539095 CET	445	50095	14.88.215.1	192.168.2.5
Jan 14, 2025 23:01:38.869479895 CET	445	50094	14.88.215.89	192.168.2.5
Jan 14, 2025 23:01:38.869556904 CET	50094	445	192.168.2.5	14.88.215.89
Jan 14, 2025 23:01:38.869663954 CET	50095	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.869663954 CET	50095	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.869929075 CET	50096	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.874716043 CET	445	50095	14.88.215.1	192.168.2.5
Jan 14, 2025 23:01:38.874757051 CET	445	50096	14.88.215.1	192.168.2.5
Jan 14, 2025 23:01:38.874860048 CET	50095	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.874917030 CET	50096	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.875355959 CET	50096	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:01:38.880695105 CET	445	50096	14.88.215.1	192.168.2.5
Jan 14, 2025 23:01:38.901874065 CET	50097	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:38.906703949 CET	445	50097	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:38.906821966 CET	50097	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:38.906821966 CET	50097	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:38.911653042 CET	445	50097	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:40.849514008 CET	445	50097	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:40.849618912 CET	50097	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:40.849618912 CET	50097	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:40.849658012 CET	50097	445	192.168.2.5	197.4.5.2
Jan 14, 2025 23:01:40.854474068 CET	445	50097	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:40.854485989 CET	445	50097	197.4.5.2	192.168.2.5
Jan 14, 2025 23:01:40.871035099 CET	50133	445	192.168.2.5	135.45.113.250
Jan 14, 2025 23:01:40.875840902 CET	445	50133	135.45.113.250	192.168.2.5
Jan 14, 2025 23:01:40.875911951 CET	50133	445	192.168.2.5	135.45.113.250
Jan 14, 2025 23:01:40.875927925 CET	50133	445	192.168.2.5	135.45.113.250
Jan 14, 2025 23:01:40.875998020 CET	50134	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.880810022 CET	445	50134	135.45.113.1	192.168.2.5
Jan 14, 2025 23:01:40.880876064 CET	445	50133	135.45.113.250	192.168.2.5
Jan 14, 2025 23:01:40.880892992 CET	50134	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.880892992 CET	50134	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.881195068 CET	50133	445	192.168.2.5	135.45.113.250
Jan 14, 2025 23:01:40.881222010 CET	50135	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.885859013 CET	445	50134	135.45.113.1	192.168.2.5
Jan 14, 2025 23:01:40.885922909 CET	50134	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.886039972 CET	445	50135	135.45.113.1	192.168.2.5
Jan 14, 2025 23:01:40.887475014 CET	50135	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.887475014 CET	50135	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:01:40.892293930 CET	445	50135	135.45.113.1	192.168.2.5
Jan 14, 2025 23:01:40.904120922 CET	50136	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.908957958 CET	445	50136	197.4.5.3	192.168.2.5
Jan 14, 2025 23:01:40.911489964 CET	50136	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.911503077 CET	50136	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.911752939 CET	50137	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.916712999 CET	445	50136	197.4.5.3	192.168.2.5
Jan 14, 2025 23:01:40.916786909 CET	50136	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.916960955 CET	445	50137	197.4.5.3	192.168.2.5
Jan 14, 2025 23:01:40.917074919 CET	50137	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.917074919 CET	50137	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:01:40.921956062 CET	445	50137	197.4.5.3	192.168.2.5
Jan 14, 2025 23:01:41.120655060 CET	50140	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:41.125540972 CET	445	50140	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:41.125710964 CET	50140	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:41.125766993 CET	50140	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:01:41.130644083 CET	445	50140	210.238.136.1	192.168.2.5
Jan 14, 2025 23:01:42.887996912 CET	50156	445	192.168.2.5	175.107.76.77
Jan 14, 2025 23:01:42.892770052 CET	445	50156	175.107.76.77	192.168.2.5
Jan 14, 2025 23:01:42.892873049 CET	50156	445	192.168.2.5	175.107.76.77
Jan 14, 2025 23:01:42.893014908 CET	50156	445	192.168.2.5	175.107.76.77
Jan 14, 2025 23:01:42.893203020 CET	50157	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.898109913 CET	445	50157	175.107.76.1	192.168.2.5
Jan 14, 2025 23:01:42.898124933 CET	445	50156	175.107.76.77	192.168.2.5
Jan 14, 2025 23:01:42.898196936 CET	50157	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.898216009 CET	50157	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.898221970 CET	50156	445	192.168.2.5	175.107.76.77
Jan 14, 2025 23:01:42.898500919 CET	50158	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.903173923 CET	445	50157	175.107.76.1	192.168.2.5
Jan 14, 2025 23:01:42.903261900 CET	445	50158	175.107.76.1	192.168.2.5
Jan 14, 2025 23:01:42.903268099 CET	50157	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.903342009 CET	50158	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.903383017 CET	50158	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:01:42.908226967 CET	445	50158	175.107.76.1	192.168.2.5
Jan 14, 2025 23:01:43.219961882 CET	445	49781	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:43.220043898 CET	49781	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:43.220113993 CET	49781	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:43.220211983 CET	49781	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:43.224934101 CET	445	49781	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:43.224972010 CET	445	49781	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:44.105079889 CET	445	49798	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:44.105340958 CET	49798	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:44.105400085 CET	49798	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:44.105458021 CET	49798	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:44.110681057 CET	445	49798	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:44.110708952 CET	445	49798	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:44.902394056 CET	50171	445	192.168.2.5	170.188.75.102
Jan 14, 2025 23:01:44.907912970 CET	445	50171	170.188.75.102	192.168.2.5
Jan 14, 2025 23:01:44.907994986 CET	50171	445	192.168.2.5	170.188.75.102
Jan 14, 2025 23:01:44.908056974 CET	50171	445	192.168.2.5	170.188.75.102
Jan 14, 2025 23:01:44.908184052 CET	50172	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.913101912 CET	445	50172	170.188.75.1	192.168.2.5
Jan 14, 2025 23:01:44.913160086 CET	50172	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.913178921 CET	50172	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.913381100 CET	50173	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.913463116 CET	445	50171	170.188.75.102	192.168.2.5
Jan 14, 2025 23:01:44.913517952 CET	50171	445	192.168.2.5	170.188.75.102
Jan 14, 2025 23:01:44.918036938 CET	445	50172	170.188.75.1	192.168.2.5
Jan 14, 2025 23:01:44.918104887 CET	50172	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.918143988 CET	445	50173	170.188.75.1	192.168.2.5
Jan 14, 2025 23:01:44.918200970 CET	50173	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.918231010 CET	50173	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:01:44.922986984 CET	445	50173	170.188.75.1	192.168.2.5
Jan 14, 2025 23:01:46.136440992 CET	445	49830	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:46.136496067 CET	49830	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:46.136568069 CET	49830	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:46.136651039 CET	49830	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:46.141784906 CET	445	49830	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:46.141799927 CET	445	49830	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:46.230319977 CET	50181	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:46.235107899 CET	445	50181	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:46.235239983 CET	50181	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:46.235336065 CET	50181	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:01:46.240102053 CET	445	50181	131.73.187.1	192.168.2.5
Jan 14, 2025 23:01:46.655833960 CET	445	49844	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:46.655961990 CET	49844	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:46.656152964 CET	49844	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:46.656187057 CET	49844	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:46.661020041 CET	445	49844	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:46.661040068 CET	445	49844	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:46.918263912 CET	50186	445	192.168.2.5	192.117.193.148
Jan 14, 2025 23:01:46.923053026 CET	445	50186	192.117.193.148	192.168.2.5
Jan 14, 2025 23:01:46.923166990 CET	50186	445	192.168.2.5	192.117.193.148
Jan 14, 2025 23:01:46.923196077 CET	50186	445	192.168.2.5	192.117.193.148
Jan 14, 2025 23:01:46.923412085 CET	50187	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.928212881 CET	445	50187	192.117.193.1	192.168.2.5
Jan 14, 2025 23:01:46.928297043 CET	50187	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.928450108 CET	445	50186	192.117.193.148	192.168.2.5
Jan 14, 2025 23:01:46.928479910 CET	50187	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.928504944 CET	50186	445	192.168.2.5	192.117.193.148
Jan 14, 2025 23:01:46.928852081 CET	50188	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.933552027 CET	445	50187	192.117.193.1	192.168.2.5
Jan 14, 2025 23:01:46.933609009 CET	50187	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.933670998 CET	445	50188	192.117.193.1	192.168.2.5
Jan 14, 2025 23:01:46.933772087 CET	50188	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.933813095 CET	50188	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:01:46.938569069 CET	445	50188	192.117.193.1	192.168.2.5
Jan 14, 2025 23:01:47.121089935 CET	50190	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:47.125930071 CET	445	50190	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:47.126013041 CET	50190	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:47.126072884 CET	50190	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:01:47.130817890 CET	445	50190	200.56.125.1	192.168.2.5
Jan 14, 2025 23:01:48.934111118 CET	50199	445	192.168.2.5	31.38.176.245
Jan 14, 2025 23:01:48.939068079 CET	445	50199	31.38.176.245	192.168.2.5
Jan 14, 2025 23:01:48.939579964 CET	50199	445	192.168.2.5	31.38.176.245
Jan 14, 2025 23:01:48.939625025 CET	50199	445	192.168.2.5	31.38.176.245
Jan 14, 2025 23:01:48.939853907 CET	50200	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.944631100 CET	445	50199	31.38.176.245	192.168.2.5
Jan 14, 2025 23:01:48.944641113 CET	445	50200	31.38.176.1	192.168.2.5
Jan 14, 2025 23:01:48.944693089 CET	50199	445	192.168.2.5	31.38.176.245
Jan 14, 2025 23:01:48.944751978 CET	50200	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.944806099 CET	50200	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.945137978 CET	50201	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.949760914 CET	445	50200	31.38.176.1	192.168.2.5
Jan 14, 2025 23:01:48.949820995 CET	50200	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.949907064 CET	445	50201	31.38.176.1	192.168.2.5
Jan 14, 2025 23:01:48.949975967 CET	50201	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.950009108 CET	50201	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:01:48.954896927 CET	445	50201	31.38.176.1	192.168.2.5
Jan 14, 2025 23:01:49.152343035 CET	50204	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:49.157129049 CET	445	50204	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:49.160079956 CET	50204	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:49.160159111 CET	50204	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:01:49.164860010 CET	445	50204	33.35.197.1	192.168.2.5
Jan 14, 2025 23:01:49.667992115 CET	50208	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:49.672907114 CET	445	50208	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:49.672977924 CET	50208	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:49.673095942 CET	50208	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:01:49.678119898 CET	445	50208	66.125.28.2	192.168.2.5
Jan 14, 2025 23:01:50.279207945 CET	445	49913	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:50.279320002 CET	49913	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:50.279402018 CET	49913	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:50.279450893 CET	49913	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:50.284274101 CET	445	49913	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:50.284282923 CET	445	49913	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:50.949378014 CET	50217	445	192.168.2.5	124.128.75.210
Jan 14, 2025 23:01:50.954287052 CET	445	50217	124.128.75.210	192.168.2.5
Jan 14, 2025 23:01:50.954364061 CET	50217	445	192.168.2.5	124.128.75.210
Jan 14, 2025 23:01:50.954443932 CET	50217	445	192.168.2.5	124.128.75.210
Jan 14, 2025 23:01:50.954598904 CET	50218	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.959350109 CET	445	50217	124.128.75.210	192.168.2.5
Jan 14, 2025 23:01:50.959403992 CET	445	50218	124.128.75.1	192.168.2.5
Jan 14, 2025 23:01:50.959559917 CET	50218	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.959616899 CET	50218	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.959688902 CET	50217	445	192.168.2.5	124.128.75.210
Jan 14, 2025 23:01:50.959909916 CET	50219	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.964582920 CET	445	50218	124.128.75.1	192.168.2.5
Jan 14, 2025 23:01:50.964653969 CET	50218	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.964744091 CET	445	50219	124.128.75.1	192.168.2.5
Jan 14, 2025 23:01:50.964812994 CET	50219	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.964855909 CET	50219	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:01:50.969595909 CET	445	50219	124.128.75.1	192.168.2.5
Jan 14, 2025 23:01:52.214817047 CET	445	49948	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:52.214888096 CET	49948	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:52.214972973 CET	49948	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:52.215015888 CET	49948	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:52.219799042 CET	445	49948	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:52.219814062 CET	445	49948	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:52.824867010 CET	50231	445	192.168.2.5	155.32.24.154
Jan 14, 2025 23:01:52.829806089 CET	445	50231	155.32.24.154	192.168.2.5
Jan 14, 2025 23:01:52.829900980 CET	50231	445	192.168.2.5	155.32.24.154
Jan 14, 2025 23:01:52.829966068 CET	50231	445	192.168.2.5	155.32.24.154
Jan 14, 2025 23:01:52.830082893 CET	50232	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.834937096 CET	445	50232	155.32.24.1	192.168.2.5
Jan 14, 2025 23:01:52.834970951 CET	445	50231	155.32.24.154	192.168.2.5
Jan 14, 2025 23:01:52.835021019 CET	50232	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.835043907 CET	50231	445	192.168.2.5	155.32.24.154
Jan 14, 2025 23:01:52.835114956 CET	50232	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.835346937 CET	50233	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.840476036 CET	445	50232	155.32.24.1	192.168.2.5
Jan 14, 2025 23:01:52.840533972 CET	50232	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.840624094 CET	445	50233	155.32.24.1	192.168.2.5
Jan 14, 2025 23:01:52.840692043 CET	50233	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.841878891 CET	50233	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:01:52.846946955 CET	445	50233	155.32.24.1	192.168.2.5
Jan 14, 2025 23:01:53.326677084 CET	50237	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:53.331506968 CET	445	50237	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:53.331955910 CET	50237	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:53.336715937 CET	50237	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:01:53.341495037 CET	445	50237	192.75.238.1	192.168.2.5
Jan 14, 2025 23:01:54.184247017 CET	445	49984	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:54.184370041 CET	49984	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:54.184437037 CET	49984	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:54.184437037 CET	49984	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:54.189312935 CET	445	49984	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:54.189342976 CET	445	49984	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:54.575330973 CET	50246	445	192.168.2.5	206.34.209.148
Jan 14, 2025 23:01:54.580147982 CET	445	50246	206.34.209.148	192.168.2.5
Jan 14, 2025 23:01:54.580213070 CET	50246	445	192.168.2.5	206.34.209.148
Jan 14, 2025 23:01:54.580532074 CET	50246	445	192.168.2.5	206.34.209.148
Jan 14, 2025 23:01:54.580674887 CET	50247	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.585403919 CET	445	50246	206.34.209.148	192.168.2.5
Jan 14, 2025 23:01:54.585503101 CET	445	50247	206.34.209.1	192.168.2.5
Jan 14, 2025 23:01:54.585510969 CET	50246	445	192.168.2.5	206.34.209.148
Jan 14, 2025 23:01:54.585567951 CET	50247	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.585654974 CET	50247	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.586144924 CET	50248	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.591559887 CET	445	50248	206.34.209.1	192.168.2.5
Jan 14, 2025 23:01:54.591639996 CET	50248	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.591846943 CET	50248	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.592268944 CET	445	50247	206.34.209.1	192.168.2.5
Jan 14, 2025 23:01:54.592329979 CET	50247	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:01:54.596645117 CET	445	50248	206.34.209.1	192.168.2.5
Jan 14, 2025 23:01:55.230706930 CET	50253	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:55.235544920 CET	445	50253	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:55.235622883 CET	50253	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:55.235682964 CET	50253	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:01:55.240498066 CET	445	50253	45.211.236.1	192.168.2.5
Jan 14, 2025 23:01:56.201195002 CET	445	50023	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:56.201399088 CET	50023	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:56.201453924 CET	50023	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:56.201493025 CET	50023	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:56.206299067 CET	445	50023	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:56.206307888 CET	445	50023	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:56.215046883 CET	50261	445	192.168.2.5	27.102.118.98
Jan 14, 2025 23:01:56.219897985 CET	445	50261	27.102.118.98	192.168.2.5
Jan 14, 2025 23:01:56.219959974 CET	50261	445	192.168.2.5	27.102.118.98
Jan 14, 2025 23:01:56.219979048 CET	50261	445	192.168.2.5	27.102.118.98
Jan 14, 2025 23:01:56.220061064 CET	50262	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.224875927 CET	445	50261	27.102.118.98	192.168.2.5
Jan 14, 2025 23:01:56.224930048 CET	50261	445	192.168.2.5	27.102.118.98
Jan 14, 2025 23:01:56.225790977 CET	445	50262	27.102.118.1	192.168.2.5
Jan 14, 2025 23:01:56.225883007 CET	50262	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.225950003 CET	50262	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.226207018 CET	50263	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.231821060 CET	445	50263	27.102.118.1	192.168.2.5
Jan 14, 2025 23:01:56.231877089 CET	445	50262	27.102.118.1	192.168.2.5
Jan 14, 2025 23:01:56.231914997 CET	50263	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.231931925 CET	50263	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.231997013 CET	50262	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:01:56.237343073 CET	445	50263	27.102.118.1	192.168.2.5
Jan 14, 2025 23:01:57.199369907 CET	50270	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:57.204446077 CET	445	50270	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:57.204577923 CET	50270	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:57.204621077 CET	50270	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:01:57.209527969 CET	445	50270	178.11.135.1	192.168.2.5
Jan 14, 2025 23:01:57.746541977 CET	50272	445	192.168.2.5	138.229.112.140
Jan 14, 2025 23:01:57.751456976 CET	445	50272	138.229.112.140	192.168.2.5
Jan 14, 2025 23:01:57.751553059 CET	50272	445	192.168.2.5	138.229.112.140
Jan 14, 2025 23:01:57.751624107 CET	50272	445	192.168.2.5	138.229.112.140
Jan 14, 2025 23:01:57.751811028 CET	50273	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.756557941 CET	445	50272	138.229.112.140	192.168.2.5
Jan 14, 2025 23:01:57.756617069 CET	50272	445	192.168.2.5	138.229.112.140
Jan 14, 2025 23:01:57.756629944 CET	445	50273	138.229.112.1	192.168.2.5
Jan 14, 2025 23:01:57.756685972 CET	50273	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.756719112 CET	50273	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.757030010 CET	50275	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.761846066 CET	445	50275	138.229.112.1	192.168.2.5
Jan 14, 2025 23:01:57.761876106 CET	445	50273	138.229.112.1	192.168.2.5
Jan 14, 2025 23:01:57.761920929 CET	50275	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.761940956 CET	50273	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.761970997 CET	50275	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:01:57.766895056 CET	445	50275	138.229.112.1	192.168.2.5
Jan 14, 2025 23:01:58.279380083 CET	445	50058	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:58.279499054 CET	50058	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:58.279499054 CET	50058	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:58.279669046 CET	50058	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:01:58.284471035 CET	445	50058	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:58.284502029 CET	445	50058	33.131.241.1	192.168.2.5
Jan 14, 2025 23:01:59.168421030 CET	50285	445	192.168.2.5	106.52.131.240
Jan 14, 2025 23:01:59.173245907 CET	445	50285	106.52.131.240	192.168.2.5
Jan 14, 2025 23:01:59.173322916 CET	50285	445	192.168.2.5	106.52.131.240
Jan 14, 2025 23:01:59.173363924 CET	50285	445	192.168.2.5	106.52.131.240
Jan 14, 2025 23:01:59.173439980 CET	50286	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.178191900 CET	445	50286	106.52.131.1	192.168.2.5
Jan 14, 2025 23:01:59.178257942 CET	50286	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.178257942 CET	50286	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.178287029 CET	445	50285	106.52.131.240	192.168.2.5
Jan 14, 2025 23:01:59.178343058 CET	50285	445	192.168.2.5	106.52.131.240
Jan 14, 2025 23:01:59.178531885 CET	50287	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.183211088 CET	445	50286	106.52.131.1	192.168.2.5
Jan 14, 2025 23:01:59.183273077 CET	50286	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.183345079 CET	445	50287	106.52.131.1	192.168.2.5
Jan 14, 2025 23:01:59.183403969 CET	50287	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.183433056 CET	50287	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:01:59.188293934 CET	445	50287	106.52.131.1	192.168.2.5
Jan 14, 2025 23:01:59.214950085 CET	50288	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:59.220072985 CET	445	50288	55.86.227.1	192.168.2.5
Jan 14, 2025 23:01:59.220180988 CET	50288	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:59.220221043 CET	50288	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:01:59.225512981 CET	445	50288	55.86.227.1	192.168.2.5
Jan 14, 2025 23:02:00.215169907 CET	445	50096	14.88.215.1	192.168.2.5
Jan 14, 2025 23:02:00.215226889 CET	50096	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:00.215250969 CET	50096	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:00.215286970 CET	50096	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:00.220097065 CET	445	50096	14.88.215.1	192.168.2.5
Jan 14, 2025 23:02:00.220107079 CET	445	50096	14.88.215.1	192.168.2.5
Jan 14, 2025 23:02:00.543052912 CET	50298	445	192.168.2.5	80.91.35.220
Jan 14, 2025 23:02:00.547940016 CET	445	50298	80.91.35.220	192.168.2.5
Jan 14, 2025 23:02:00.548052073 CET	50298	445	192.168.2.5	80.91.35.220
Jan 14, 2025 23:02:00.548141956 CET	50298	445	192.168.2.5	80.91.35.220
Jan 14, 2025 23:02:00.548324108 CET	50299	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.553276062 CET	445	50298	80.91.35.220	192.168.2.5
Jan 14, 2025 23:02:00.553332090 CET	445	50299	80.91.35.1	192.168.2.5
Jan 14, 2025 23:02:00.553353071 CET	50298	445	192.168.2.5	80.91.35.220
Jan 14, 2025 23:02:00.553442001 CET	50299	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.554769993 CET	50299	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.554994106 CET	50300	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.559587955 CET	445	50299	80.91.35.1	192.168.2.5
Jan 14, 2025 23:02:00.559650898 CET	50299	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.559789896 CET	445	50300	80.91.35.1	192.168.2.5
Jan 14, 2025 23:02:00.559845924 CET	50300	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.561355114 CET	50300	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:00.566225052 CET	445	50300	80.91.35.1	192.168.2.5
Jan 14, 2025 23:02:01.293298006 CET	50306	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:02:01.298249960 CET	445	50306	33.131.241.1	192.168.2.5
Jan 14, 2025 23:02:01.298330069 CET	50306	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:02:01.298348904 CET	50306	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:02:01.303172112 CET	445	50306	33.131.241.1	192.168.2.5
Jan 14, 2025 23:02:01.778002977 CET	50312	445	192.168.2.5	206.38.36.217
Jan 14, 2025 23:02:01.783513069 CET	445	50312	206.38.36.217	192.168.2.5
Jan 14, 2025 23:02:01.783718109 CET	50312	445	192.168.2.5	206.38.36.217
Jan 14, 2025 23:02:01.783718109 CET	50312	445	192.168.2.5	206.38.36.217
Jan 14, 2025 23:02:01.783756018 CET	50313	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.789030075 CET	445	50313	206.38.36.1	192.168.2.5
Jan 14, 2025 23:02:01.789072037 CET	445	50312	206.38.36.217	192.168.2.5
Jan 14, 2025 23:02:01.789108038 CET	50313	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.789125919 CET	50313	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.789127111 CET	50312	445	192.168.2.5	206.38.36.217
Jan 14, 2025 23:02:01.789346933 CET	50314	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.794430971 CET	445	50314	206.38.36.1	192.168.2.5
Jan 14, 2025 23:02:01.794466019 CET	445	50313	206.38.36.1	192.168.2.5
Jan 14, 2025 23:02:01.794632912 CET	50313	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.794764042 CET	50314	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.794764042 CET	50314	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:01.799640894 CET	445	50314	206.38.36.1	192.168.2.5
Jan 14, 2025 23:02:02.294213057 CET	445	50137	197.4.5.3	192.168.2.5
Jan 14, 2025 23:02:02.296895981 CET	50137	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:02.296895981 CET	50137	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:02.296895981 CET	50137	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:02.297595978 CET	445	50135	135.45.113.1	192.168.2.5
Jan 14, 2025 23:02:02.301095009 CET	50135	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:02.301140070 CET	50135	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:02.301177025 CET	50135	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:02.302236080 CET	445	50137	197.4.5.3	192.168.2.5
Jan 14, 2025 23:02:02.302268028 CET	445	50137	197.4.5.3	192.168.2.5
Jan 14, 2025 23:02:02.306268930 CET	445	50135	135.45.113.1	192.168.2.5
Jan 14, 2025 23:02:02.306298971 CET	445	50135	135.45.113.1	192.168.2.5
Jan 14, 2025 23:02:02.500380039 CET	445	50140	210.238.136.1	192.168.2.5
Jan 14, 2025 23:02:02.502451897 CET	50140	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:02:02.502500057 CET	50140	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:02:02.502567053 CET	50140	445	192.168.2.5	210.238.136.1
Jan 14, 2025 23:02:02.507328987 CET	445	50140	210.238.136.1	192.168.2.5
Jan 14, 2025 23:02:02.507375002 CET	445	50140	210.238.136.1	192.168.2.5
Jan 14, 2025 23:02:02.559243917 CET	50318	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.564742088 CET	445	50318	210.238.136.2	192.168.2.5
Jan 14, 2025 23:02:02.564882994 CET	50318	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.564882994 CET	50318	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.565242052 CET	50319	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.570400953 CET	445	50318	210.238.136.2	192.168.2.5
Jan 14, 2025 23:02:02.570439100 CET	445	50319	210.238.136.2	192.168.2.5
Jan 14, 2025 23:02:02.570487976 CET	50318	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.570506096 CET	50319	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.570543051 CET	50319	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:02.575741053 CET	445	50319	210.238.136.2	192.168.2.5
Jan 14, 2025 23:02:02.934223890 CET	50321	445	192.168.2.5	27.239.87.188
Jan 14, 2025 23:02:03.129983902 CET	445	50321	27.239.87.188	192.168.2.5
Jan 14, 2025 23:02:03.130067110 CET	50321	445	192.168.2.5	27.239.87.188
Jan 14, 2025 23:02:03.130131006 CET	50321	445	192.168.2.5	27.239.87.188
Jan 14, 2025 23:02:03.130321026 CET	50323	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.137274027 CET	445	50323	27.239.87.1	192.168.2.5
Jan 14, 2025 23:02:03.137392044 CET	50323	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.137435913 CET	50323	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.137715101 CET	50324	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.138839006 CET	445	50321	27.239.87.188	192.168.2.5
Jan 14, 2025 23:02:03.138905048 CET	50321	445	192.168.2.5	27.239.87.188
Jan 14, 2025 23:02:03.142570019 CET	445	50324	27.239.87.1	192.168.2.5
Jan 14, 2025 23:02:03.142659903 CET	50324	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.143131018 CET	445	50323	27.239.87.1	192.168.2.5
Jan 14, 2025 23:02:03.143207073 CET	50323	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.145595074 CET	50324	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:03.151979923 CET	445	50324	27.239.87.1	192.168.2.5
Jan 14, 2025 23:02:03.232214928 CET	50325	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:03.237095118 CET	445	50325	14.88.215.1	192.168.2.5
Jan 14, 2025 23:02:03.237282038 CET	50325	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:03.240812063 CET	50325	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:03.245841980 CET	445	50325	14.88.215.1	192.168.2.5
Jan 14, 2025 23:02:04.012384892 CET	50330	445	192.168.2.5	24.33.186.66
Jan 14, 2025 23:02:04.017688990 CET	445	50330	24.33.186.66	192.168.2.5
Jan 14, 2025 23:02:04.017816067 CET	50330	445	192.168.2.5	24.33.186.66
Jan 14, 2025 23:02:04.017910004 CET	50331	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.017910004 CET	50330	445	192.168.2.5	24.33.186.66
Jan 14, 2025 23:02:04.022975922 CET	445	50331	24.33.186.1	192.168.2.5
Jan 14, 2025 23:02:04.023061037 CET	50331	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.023061037 CET	445	50330	24.33.186.66	192.168.2.5
Jan 14, 2025 23:02:04.023082018 CET	50331	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.023128033 CET	50330	445	192.168.2.5	24.33.186.66
Jan 14, 2025 23:02:04.023467064 CET	50332	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.028605938 CET	445	50332	24.33.186.1	192.168.2.5
Jan 14, 2025 23:02:04.028692007 CET	50332	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.028700113 CET	50332	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.028701067 CET	445	50331	24.33.186.1	192.168.2.5
Jan 14, 2025 23:02:04.028753996 CET	50331	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:04.033521891 CET	445	50332	24.33.186.1	192.168.2.5
Jan 14, 2025 23:02:04.262927055 CET	445	50158	175.107.76.1	192.168.2.5
Jan 14, 2025 23:02:04.263006926 CET	50158	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:04.263111115 CET	50158	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:04.263111115 CET	50158	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:04.268501043 CET	445	50158	175.107.76.1	192.168.2.5
Jan 14, 2025 23:02:04.268548012 CET	445	50158	175.107.76.1	192.168.2.5
Jan 14, 2025 23:02:05.027968884 CET	50339	445	192.168.2.5	165.165.9.166
Jan 14, 2025 23:02:05.032816887 CET	445	50339	165.165.9.166	192.168.2.5
Jan 14, 2025 23:02:05.032910109 CET	50339	445	192.168.2.5	165.165.9.166
Jan 14, 2025 23:02:05.032938004 CET	50339	445	192.168.2.5	165.165.9.166
Jan 14, 2025 23:02:05.033067942 CET	50340	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.037940979 CET	445	50340	165.165.9.1	192.168.2.5
Jan 14, 2025 23:02:05.037996054 CET	445	50339	165.165.9.166	192.168.2.5
Jan 14, 2025 23:02:05.038026094 CET	50340	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.038026094 CET	50340	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.038045883 CET	50339	445	192.168.2.5	165.165.9.166
Jan 14, 2025 23:02:05.038301945 CET	50341	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.043066978 CET	445	50340	165.165.9.1	192.168.2.5
Jan 14, 2025 23:02:05.043137074 CET	50340	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.043181896 CET	445	50341	165.165.9.1	192.168.2.5
Jan 14, 2025 23:02:05.043241024 CET	50341	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.043272018 CET	50341	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:05.048181057 CET	445	50341	165.165.9.1	192.168.2.5
Jan 14, 2025 23:02:05.309241056 CET	50345	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:05.309277058 CET	50344	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:05.314167023 CET	445	50345	135.45.113.1	192.168.2.5
Jan 14, 2025 23:02:05.314227104 CET	445	50344	197.4.5.3	192.168.2.5
Jan 14, 2025 23:02:05.314270020 CET	50345	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:05.314270020 CET	50345	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:05.314287901 CET	50344	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:05.314321995 CET	50344	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:05.319128036 CET	445	50345	135.45.113.1	192.168.2.5
Jan 14, 2025 23:02:05.319231033 CET	445	50344	197.4.5.3	192.168.2.5
Jan 14, 2025 23:02:05.965946913 CET	50348	445	192.168.2.5	33.175.236.126
Jan 14, 2025 23:02:05.970763922 CET	445	50348	33.175.236.126	192.168.2.5
Jan 14, 2025 23:02:05.970844984 CET	50348	445	192.168.2.5	33.175.236.126
Jan 14, 2025 23:02:05.970870972 CET	50348	445	192.168.2.5	33.175.236.126
Jan 14, 2025 23:02:05.971048117 CET	50349	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.975820065 CET	445	50349	33.175.236.1	192.168.2.5
Jan 14, 2025 23:02:05.975835085 CET	445	50348	33.175.236.126	192.168.2.5
Jan 14, 2025 23:02:05.975879908 CET	50349	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.975908995 CET	50348	445	192.168.2.5	33.175.236.126
Jan 14, 2025 23:02:05.976021051 CET	50349	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.976332903 CET	50350	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.980885983 CET	445	50349	33.175.236.1	192.168.2.5
Jan 14, 2025 23:02:05.980940104 CET	50349	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.981112957 CET	445	50350	33.175.236.1	192.168.2.5
Jan 14, 2025 23:02:05.981175900 CET	50350	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.981215954 CET	50350	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:05.985986948 CET	445	50350	33.175.236.1	192.168.2.5
Jan 14, 2025 23:02:06.295495987 CET	445	50173	170.188.75.1	192.168.2.5
Jan 14, 2025 23:02:06.295615911 CET	50173	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:06.295790911 CET	50173	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:06.295790911 CET	50173	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:06.300592899 CET	445	50173	170.188.75.1	192.168.2.5
Jan 14, 2025 23:02:06.300610065 CET	445	50173	170.188.75.1	192.168.2.5
Jan 14, 2025 23:02:06.840660095 CET	50351	445	192.168.2.5	199.47.119.29
Jan 14, 2025 23:02:06.845467091 CET	445	50351	199.47.119.29	192.168.2.5
Jan 14, 2025 23:02:06.845609903 CET	50351	445	192.168.2.5	199.47.119.29
Jan 14, 2025 23:02:06.845630884 CET	50351	445	192.168.2.5	199.47.119.29
Jan 14, 2025 23:02:06.845777988 CET	50352	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.850557089 CET	445	50352	199.47.119.1	192.168.2.5
Jan 14, 2025 23:02:06.850647926 CET	50352	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.850666046 CET	50352	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.851088047 CET	50353	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.851181030 CET	445	50351	199.47.119.29	192.168.2.5
Jan 14, 2025 23:02:06.851236105 CET	50351	445	192.168.2.5	199.47.119.29
Jan 14, 2025 23:02:06.855609894 CET	445	50352	199.47.119.1	192.168.2.5
Jan 14, 2025 23:02:06.855689049 CET	50352	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.855870962 CET	445	50353	199.47.119.1	192.168.2.5
Jan 14, 2025 23:02:06.855925083 CET	50353	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.855945110 CET	50353	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:06.860723019 CET	445	50353	199.47.119.1	192.168.2.5
Jan 14, 2025 23:02:07.277991056 CET	50354	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:07.282803059 CET	445	50354	175.107.76.1	192.168.2.5
Jan 14, 2025 23:02:07.282926083 CET	50354	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:07.282974005 CET	50354	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:07.287710905 CET	445	50354	175.107.76.1	192.168.2.5
Jan 14, 2025 23:02:07.619756937 CET	445	50181	131.73.187.1	192.168.2.5
Jan 14, 2025 23:02:07.619885921 CET	50181	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:02:07.619976997 CET	50181	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:02:07.619976997 CET	50181	445	192.168.2.5	131.73.187.1
Jan 14, 2025 23:02:07.625016928 CET	445	50181	131.73.187.1	192.168.2.5
Jan 14, 2025 23:02:07.625063896 CET	445	50181	131.73.187.1	192.168.2.5
Jan 14, 2025 23:02:07.668757915 CET	50355	445	192.168.2.5	54.252.124.47
Jan 14, 2025 23:02:07.673793077 CET	445	50355	54.252.124.47	192.168.2.5
Jan 14, 2025 23:02:07.673897982 CET	50355	445	192.168.2.5	54.252.124.47
Jan 14, 2025 23:02:07.673969984 CET	50355	445	192.168.2.5	54.252.124.47
Jan 14, 2025 23:02:07.674144983 CET	50356	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.678886890 CET	445	50355	54.252.124.47	192.168.2.5
Jan 14, 2025 23:02:07.678947926 CET	50355	445	192.168.2.5	54.252.124.47
Jan 14, 2025 23:02:07.679086924 CET	445	50356	54.252.124.1	192.168.2.5
Jan 14, 2025 23:02:07.679158926 CET	50356	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.679290056 CET	50356	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.679670095 CET	50357	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.684402943 CET	445	50356	54.252.124.1	192.168.2.5
Jan 14, 2025 23:02:07.684478045 CET	50356	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.684566975 CET	50358	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.684631109 CET	445	50357	54.252.124.1	192.168.2.5
Jan 14, 2025 23:02:07.684714079 CET	50357	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.684714079 CET	50357	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:07.689425945 CET	445	50358	131.73.187.2	192.168.2.5
Jan 14, 2025 23:02:07.689496994 CET	50358	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.689562082 CET	50358	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.689711094 CET	445	50357	54.252.124.1	192.168.2.5
Jan 14, 2025 23:02:07.690022945 CET	50359	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.694549084 CET	445	50358	131.73.187.2	192.168.2.5
Jan 14, 2025 23:02:07.694607973 CET	50358	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.694842100 CET	445	50359	131.73.187.2	192.168.2.5
Jan 14, 2025 23:02:07.694960117 CET	50359	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.694982052 CET	50359	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:07.699843884 CET	445	50359	131.73.187.2	192.168.2.5
Jan 14, 2025 23:02:08.314768076 CET	445	50188	192.117.193.1	192.168.2.5
Jan 14, 2025 23:02:08.314963102 CET	50188	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:08.314963102 CET	50188	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:08.314964056 CET	50188	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:08.320983887 CET	445	50188	192.117.193.1	192.168.2.5
Jan 14, 2025 23:02:08.321019888 CET	445	50188	192.117.193.1	192.168.2.5
Jan 14, 2025 23:02:08.434298992 CET	50360	445	192.168.2.5	96.221.78.64
Jan 14, 2025 23:02:08.439271927 CET	445	50360	96.221.78.64	192.168.2.5
Jan 14, 2025 23:02:08.439536095 CET	50360	445	192.168.2.5	96.221.78.64
Jan 14, 2025 23:02:08.439537048 CET	50360	445	192.168.2.5	96.221.78.64
Jan 14, 2025 23:02:08.439703941 CET	50361	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.444473982 CET	445	50361	96.221.78.1	192.168.2.5
Jan 14, 2025 23:02:08.444550037 CET	50361	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.444586039 CET	50361	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.444650888 CET	445	50360	96.221.78.64	192.168.2.5
Jan 14, 2025 23:02:08.444787025 CET	50362	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.444835901 CET	50360	445	192.168.2.5	96.221.78.64
Jan 14, 2025 23:02:08.449511051 CET	445	50361	96.221.78.1	192.168.2.5
Jan 14, 2025 23:02:08.449635029 CET	50361	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.449636936 CET	445	50362	96.221.78.1	192.168.2.5
Jan 14, 2025 23:02:08.449712038 CET	50362	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.449745893 CET	50362	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:08.454550982 CET	445	50362	96.221.78.1	192.168.2.5
Jan 14, 2025 23:02:08.498692989 CET	445	50190	200.56.125.1	192.168.2.5
Jan 14, 2025 23:02:08.498761892 CET	50190	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:02:08.498800993 CET	50190	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:02:08.498847008 CET	50190	445	192.168.2.5	200.56.125.1
Jan 14, 2025 23:02:08.503668070 CET	445	50190	200.56.125.1	192.168.2.5
Jan 14, 2025 23:02:08.503696918 CET	445	50190	200.56.125.1	192.168.2.5
Jan 14, 2025 23:02:08.559032917 CET	50363	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.563858986 CET	445	50363	200.56.125.2	192.168.2.5
Jan 14, 2025 23:02:08.563950062 CET	50363	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.563961983 CET	50363	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.564202070 CET	50364	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.569134951 CET	445	50364	200.56.125.2	192.168.2.5
Jan 14, 2025 23:02:08.569166899 CET	445	50363	200.56.125.2	192.168.2.5
Jan 14, 2025 23:02:08.569196939 CET	50364	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.569216013 CET	50363	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.569281101 CET	50364	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:08.574090958 CET	445	50364	200.56.125.2	192.168.2.5
Jan 14, 2025 23:02:09.309303045 CET	50366	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:09.314318895 CET	445	50366	170.188.75.1	192.168.2.5
Jan 14, 2025 23:02:09.314488888 CET	50366	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:09.314488888 CET	50366	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:09.319377899 CET	445	50366	170.188.75.1	192.168.2.5
Jan 14, 2025 23:02:10.311486006 CET	445	50201	31.38.176.1	192.168.2.5
Jan 14, 2025 23:02:10.311697960 CET	50201	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:10.311697960 CET	50201	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:10.311697960 CET	50201	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:10.316621065 CET	445	50201	31.38.176.1	192.168.2.5
Jan 14, 2025 23:02:10.316776037 CET	445	50201	31.38.176.1	192.168.2.5
Jan 14, 2025 23:02:10.532128096 CET	445	50204	33.35.197.1	192.168.2.5
Jan 14, 2025 23:02:10.532320976 CET	50204	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:02:10.532320976 CET	50204	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:02:10.532736063 CET	50204	445	192.168.2.5	33.35.197.1
Jan 14, 2025 23:02:10.537192106 CET	445	50204	33.35.197.1	192.168.2.5
Jan 14, 2025 23:02:10.537542105 CET	445	50204	33.35.197.1	192.168.2.5
Jan 14, 2025 23:02:10.592632055 CET	50370	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:10.597531080 CET	445	50370	33.35.197.2	192.168.2.5
Jan 14, 2025 23:02:10.597623110 CET	50370	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:10.597647905 CET	50370	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:10.597942114 CET	50371	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:10.602721930 CET	445	50371	33.35.197.2	192.168.2.5
Jan 14, 2025 23:02:10.602799892 CET	50371	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:10.602826118 CET	50371	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:10.606347084 CET	445	50370	33.35.197.2	192.168.2.5
Jan 14, 2025 23:02:10.607714891 CET	445	50371	33.35.197.2	192.168.2.5
Jan 14, 2025 23:02:10.622792006 CET	445	50370	33.35.197.2	192.168.2.5
Jan 14, 2025 23:02:10.622853994 CET	50370	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:11.093020916 CET	445	50208	66.125.28.2	192.168.2.5
Jan 14, 2025 23:02:11.093125105 CET	50208	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:02:11.093169928 CET	50208	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:02:11.093216896 CET	50208	445	192.168.2.5	66.125.28.2
Jan 14, 2025 23:02:11.097980022 CET	445	50208	66.125.28.2	192.168.2.5
Jan 14, 2025 23:02:11.097995996 CET	445	50208	66.125.28.2	192.168.2.5
Jan 14, 2025 23:02:11.153593063 CET	50374	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.158890009 CET	445	50374	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:11.158987045 CET	50374	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.159029007 CET	50374	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.159296036 CET	50375	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.164318085 CET	445	50374	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:11.164352894 CET	445	50375	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:11.164391994 CET	50374	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.164427996 CET	50375	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.164444923 CET	50375	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:11.170720100 CET	445	50375	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:11.324949026 CET	50376	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:11.329992056 CET	445	50376	192.117.193.1	192.168.2.5
Jan 14, 2025 23:02:11.330061913 CET	50376	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:11.330080986 CET	50376	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:11.334954977 CET	445	50376	192.117.193.1	192.168.2.5
Jan 14, 2025 23:02:12.340411901 CET	445	50219	124.128.75.1	192.168.2.5
Jan 14, 2025 23:02:12.340491056 CET	50219	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:12.355552912 CET	50219	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:12.358521938 CET	50219	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:12.360327959 CET	445	50219	124.128.75.1	192.168.2.5
Jan 14, 2025 23:02:12.363318920 CET	445	50219	124.128.75.1	192.168.2.5
Jan 14, 2025 23:02:12.787226915 CET	445	50375	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:12.787425995 CET	50375	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:12.787425995 CET	50375	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:12.787425995 CET	50375	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:12.793422937 CET	445	50375	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:12.793432951 CET	445	50375	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:13.324856043 CET	50391	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:13.329746008 CET	445	50391	31.38.176.1	192.168.2.5
Jan 14, 2025 23:02:13.329900026 CET	50391	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:13.329916000 CET	50391	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:13.334650993 CET	445	50391	31.38.176.1	192.168.2.5
Jan 14, 2025 23:02:14.233378887 CET	445	50233	155.32.24.1	192.168.2.5
Jan 14, 2025 23:02:14.233594894 CET	50233	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:14.233594894 CET	50233	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:14.233594894 CET	50233	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:14.238570929 CET	445	50233	155.32.24.1	192.168.2.5
Jan 14, 2025 23:02:14.238600969 CET	445	50233	155.32.24.1	192.168.2.5
Jan 14, 2025 23:02:14.809694052 CET	445	50237	192.75.238.1	192.168.2.5
Jan 14, 2025 23:02:14.809799910 CET	50237	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:02:14.809993029 CET	50237	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:02:14.809993029 CET	50237	445	192.168.2.5	192.75.238.1
Jan 14, 2025 23:02:14.814831018 CET	445	50237	192.75.238.1	192.168.2.5
Jan 14, 2025 23:02:14.814861059 CET	445	50237	192.75.238.1	192.168.2.5
Jan 14, 2025 23:02:15.088428974 CET	50410	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.093559980 CET	445	50410	192.75.238.2	192.168.2.5
Jan 14, 2025 23:02:15.093643904 CET	50410	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.093712091 CET	50410	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.094145060 CET	50412	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.098737001 CET	445	50410	192.75.238.2	192.168.2.5
Jan 14, 2025 23:02:15.098799944 CET	50410	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.099088907 CET	445	50412	192.75.238.2	192.168.2.5
Jan 14, 2025 23:02:15.099147081 CET	50412	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.099167109 CET	50412	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:15.103965998 CET	445	50412	192.75.238.2	192.168.2.5
Jan 14, 2025 23:02:15.371850967 CET	50415	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:15.376750946 CET	445	50415	124.128.75.1	192.168.2.5
Jan 14, 2025 23:02:15.376826048 CET	50415	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:15.376861095 CET	50415	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:15.382142067 CET	445	50415	124.128.75.1	192.168.2.5
Jan 14, 2025 23:02:15.793844938 CET	50423	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:15.798825026 CET	445	50423	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:15.798957109 CET	50423	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:15.798998117 CET	50423	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:15.803858042 CET	445	50423	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:16.003489971 CET	445	50248	206.34.209.1	192.168.2.5
Jan 14, 2025 23:02:16.003611088 CET	50248	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:02:16.003612041 CET	50248	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:02:16.003684998 CET	50248	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:02:16.012670994 CET	445	50248	206.34.209.1	192.168.2.5
Jan 14, 2025 23:02:16.012702942 CET	445	50248	206.34.209.1	192.168.2.5
Jan 14, 2025 23:02:16.596895933 CET	445	50253	45.211.236.1	192.168.2.5
Jan 14, 2025 23:02:16.598701954 CET	50253	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:02:16.598756075 CET	50253	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:02:16.598757029 CET	50253	445	192.168.2.5	45.211.236.1
Jan 14, 2025 23:02:16.603573084 CET	445	50253	45.211.236.1	192.168.2.5
Jan 14, 2025 23:02:16.603602886 CET	445	50253	45.211.236.1	192.168.2.5
Jan 14, 2025 23:02:16.653251886 CET	50440	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.658081055 CET	445	50440	45.211.236.2	192.168.2.5
Jan 14, 2025 23:02:16.658163071 CET	50440	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.658252954 CET	50440	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.658521891 CET	50441	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.663208008 CET	445	50440	45.211.236.2	192.168.2.5
Jan 14, 2025 23:02:16.663336039 CET	50440	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.663382053 CET	445	50441	45.211.236.2	192.168.2.5
Jan 14, 2025 23:02:16.663455963 CET	50441	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.663500071 CET	50441	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:16.668335915 CET	445	50441	45.211.236.2	192.168.2.5
Jan 14, 2025 23:02:17.246769905 CET	50454	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:17.251573086 CET	445	50454	155.32.24.1	192.168.2.5
Jan 14, 2025 23:02:17.251662970 CET	50454	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:17.251694918 CET	50454	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:17.256576061 CET	445	50454	155.32.24.1	192.168.2.5
Jan 14, 2025 23:02:17.434156895 CET	445	50423	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:17.434288025 CET	50423	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:17.434387922 CET	50423	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:17.434387922 CET	50423	445	192.168.2.5	66.125.28.3
Jan 14, 2025 23:02:17.439266920 CET	445	50423	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:17.439482927 CET	445	50423	66.125.28.3	192.168.2.5
Jan 14, 2025 23:02:17.496972084 CET	50459	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.501733065 CET	445	50459	66.125.28.4	192.168.2.5
Jan 14, 2025 23:02:17.501847982 CET	50459	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.501858950 CET	50459	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.502161980 CET	50460	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.506767988 CET	445	50459	66.125.28.4	192.168.2.5
Jan 14, 2025 23:02:17.506820917 CET	50459	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.506891012 CET	445	50460	66.125.28.4	192.168.2.5
Jan 14, 2025 23:02:17.506947994 CET	50460	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.506973028 CET	50460	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:17.511750937 CET	445	50460	66.125.28.4	192.168.2.5
Jan 14, 2025 23:02:17.626159906 CET	445	50263	27.102.118.1	192.168.2.5
Jan 14, 2025 23:02:17.626214027 CET	50263	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:02:17.626244068 CET	50263	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:02:17.626267910 CET	50263	445	192.168.2.5	27.102.118.1
Jan 14, 2025 23:02:17.631022930 CET	445	50263	27.102.118.1	192.168.2.5
Jan 14, 2025 23:02:17.631098986 CET	445	50263	27.102.118.1	192.168.2.5
Jan 14, 2025 23:02:18.560662985 CET	445	50270	178.11.135.1	192.168.2.5
Jan 14, 2025 23:02:18.560781002 CET	50270	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:02:18.560781002 CET	50270	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:02:18.560868979 CET	50270	445	192.168.2.5	178.11.135.1
Jan 14, 2025 23:02:18.565702915 CET	445	50270	178.11.135.1	192.168.2.5
Jan 14, 2025 23:02:18.565711021 CET	445	50270	178.11.135.1	192.168.2.5
Jan 14, 2025 23:02:18.621917009 CET	50494	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.626899004 CET	445	50494	178.11.135.2	192.168.2.5
Jan 14, 2025 23:02:18.626993895 CET	50494	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.627037048 CET	50494	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.627330065 CET	50495	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.632184029 CET	445	50495	178.11.135.2	192.168.2.5
Jan 14, 2025 23:02:18.632268906 CET	50495	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.632307053 CET	50495	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.632472992 CET	445	50494	178.11.135.2	192.168.2.5
Jan 14, 2025 23:02:18.632539988 CET	50494	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:18.637093067 CET	445	50495	178.11.135.2	192.168.2.5
Jan 14, 2025 23:02:19.012402058 CET	50515	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:02:19.017283916 CET	445	50515	206.34.209.1	192.168.2.5
Jan 14, 2025 23:02:19.017380953 CET	50515	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:02:19.017402887 CET	50515	445	192.168.2.5	206.34.209.1
Jan 14, 2025 23:02:19.022280931 CET	445	50515	206.34.209.1	192.168.2.5
Jan 14, 2025 23:02:19.124150038 CET	445	50275	138.229.112.1	192.168.2.5
Jan 14, 2025 23:02:19.124278069 CET	50275	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:02:19.124313116 CET	50275	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:02:19.124355078 CET	50275	445	192.168.2.5	138.229.112.1
Jan 14, 2025 23:02:19.129143953 CET	445	50275	138.229.112.1	192.168.2.5
Jan 14, 2025 23:02:19.129163027 CET	445	50275	138.229.112.1	192.168.2.5
Jan 14, 2025 23:02:20.546056032 CET	445	50287	106.52.131.1	192.168.2.5
Jan 14, 2025 23:02:20.546122074 CET	50287	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:02:20.620620966 CET	445	50288	55.86.227.1	192.168.2.5
Jan 14, 2025 23:02:20.620683908 CET	50288	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:02:21.189734936 CET	50391	445	192.168.2.5	31.38.176.1
Jan 14, 2025 23:02:21.189774036 CET	50319	445	192.168.2.5	210.238.136.2
Jan 14, 2025 23:02:21.189816952 CET	50353	445	192.168.2.5	199.47.119.1
Jan 14, 2025 23:02:21.189837933 CET	50364	445	192.168.2.5	200.56.125.2
Jan 14, 2025 23:02:21.189868927 CET	50350	445	192.168.2.5	33.175.236.1
Jan 14, 2025 23:02:21.189904928 CET	50345	445	192.168.2.5	135.45.113.1
Jan 14, 2025 23:02:21.189949036 CET	50341	445	192.168.2.5	165.165.9.1
Jan 14, 2025 23:02:21.189984083 CET	50371	445	192.168.2.5	33.35.197.2
Jan 14, 2025 23:02:21.190016031 CET	50332	445	192.168.2.5	24.33.186.1
Jan 14, 2025 23:02:21.190048933 CET	50306	445	192.168.2.5	33.131.241.1
Jan 14, 2025 23:02:21.190057993 CET	50344	445	192.168.2.5	197.4.5.3
Jan 14, 2025 23:02:21.190092087 CET	50287	445	192.168.2.5	106.52.131.1
Jan 14, 2025 23:02:21.190129042 CET	50376	445	192.168.2.5	192.117.193.1
Jan 14, 2025 23:02:21.190175056 CET	50495	445	192.168.2.5	178.11.135.2
Jan 14, 2025 23:02:21.190196991 CET	50288	445	192.168.2.5	55.86.227.1
Jan 14, 2025 23:02:21.190223932 CET	50300	445	192.168.2.5	80.91.35.1
Jan 14, 2025 23:02:21.190249920 CET	50314	445	192.168.2.5	206.38.36.1
Jan 14, 2025 23:02:21.190268993 CET	50324	445	192.168.2.5	27.239.87.1
Jan 14, 2025 23:02:21.190303087 CET	50325	445	192.168.2.5	14.88.215.1
Jan 14, 2025 23:02:21.190391064 CET	50357	445	192.168.2.5	54.252.124.1
Jan 14, 2025 23:02:21.190397024 CET	50354	445	192.168.2.5	175.107.76.1
Jan 14, 2025 23:02:21.190411091 CET	50359	445	192.168.2.5	131.73.187.2
Jan 14, 2025 23:02:21.190438986 CET	50362	445	192.168.2.5	96.221.78.1
Jan 14, 2025 23:02:21.190465927 CET	50366	445	192.168.2.5	170.188.75.1
Jan 14, 2025 23:02:21.190485001 CET	50415	445	192.168.2.5	124.128.75.1
Jan 14, 2025 23:02:21.190506935 CET	50412	445	192.168.2.5	192.75.238.2
Jan 14, 2025 23:02:21.190548897 CET	50441	445	192.168.2.5	45.211.236.2
Jan 14, 2025 23:02:21.190568924 CET	50454	445	192.168.2.5	155.32.24.1
Jan 14, 2025 23:02:21.190599918 CET	50460	445	192.168.2.5	66.125.28.4
Jan 14, 2025 23:02:21.190752983 CET	50515	445	192.168.2.5	206.34.209.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:01:13.372632027 CET	57619	53	192.168.2.5	1.1.1.1
Jan 14, 2025 23:01:13.673958063 CET	53	57619	1.1.1.1	192.168.2.5
Jan 14, 2025 23:01:14.302748919 CET	57086	53	192.168.2.5	1.1.1.1
Jan 14, 2025 23:01:14.635179043 CET	53	57086	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 23:01:13.372632027 CET	192.168.2.5	1.1.1.1	0x8ff	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:01:14.302748919 CET	192.168.2.5	1.1.1.1	0x1998	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 23:01:13.673958063 CET	1.1.1.1	192.168.2.5	0x8ff	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:01:14.635179043 CET	1.1.1.1	192.168.2.5	0x1998	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 23:01:14.635179043 CET	1.1.1.1	192.168.2.5	0x1998	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	103.224.212.215	80	1856	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:13.686799049 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:01:14.297621012 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:14 GMT server: Apache set-cookie: __tad=1736892074.7770901; expires=Fri, 12-Jan-2035 22:01:14 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-14d8-ae64-02e71c751956 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	199.59.243.228	80	1856	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:14.693592072 CET	169	OUT	GET /?subid1=20250115-0901-14d8-ae64-02e71c751956 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:01:15.147213936 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:14 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 4d94cd22-7172-4f4b-ac4b-b562938e91cd cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fmDkl1micUtHf1h2TPGUCd9++v5k8A3EIS4g9OyvZEtMlVWgJ5GbfBSE8oLhseZElbRsJY5iKDG3VxleMvkWeA== set-cookie: parking_session=4d94cd22-7172-4f4b-ac4b-b562938e91cd; expires=Tue, 14 Jan 2025 22:16:15 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 6d 44 6b 6c 31 6d 69 63 55 74 48 66 31 68 32 54 50 47 55 43 64 39 2b 2b 76 35 6b 38 41 33 45 49 53 34 67 39 4f 79 76 5a 45 74 4d 6c 56 57 67 4a 35 47 62 66 42 53 45 38 6f 4c 68 73 65 5a 45 6c 62 52 73 4a 59 35 69 4b 44 47 33 56 78 6c 65 4d 76 6b 57 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fmDkl1micUtHf1h2TPGUCd9++v5k8A3EIS4g9OyvZEtMlVWgJ5GbfBSE8oLhseZElbRsJY5iKDG3VxleMvkWeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:01:15.147239923 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGQ5NGNkMjItNzE3Mi00ZjRiLWFjNGItYjU2MjkzOGU5MWNkIiwicGFnZV90aW1lIjoxNzM2ODkyMDc1LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	103.224.212.215	80	6448	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:15.565308094 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:01:16.150002003 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:16 GMT server: Apache set-cookie: __tad=1736892076.6256118; expires=Fri, 12-Jan-2035 22:01:16 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	103.224.212.215	80	4308	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:16.165612936 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736892074.7770901
Jan 14, 2025 23:01:16.813292980 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:16 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1690-be53-cf6353b68d38 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49709	199.59.243.228	80	6448	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:16.166739941 CET	169	OUT	GET /?subid1=20250115-0901-1669-a0d3-4edd9cd30f7f HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:01:16.636703968 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:15 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 2b1c7d15-64e4-403c-960e-14ef7a2518e1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VmvFZPqzq7VveYk3xHXar9k3KK4qma5/1QzouPHYF8Q4GkjKbGEQQqEoVH5S7TFMlolJZJcmXf3A94y03SErtQ== set-cookie: parking_session=2b1c7d15-64e4-403c-960e-14ef7a2518e1; expires=Tue, 14 Jan 2025 22:16:16 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 6d 76 46 5a 50 71 7a 71 37 56 76 65 59 6b 33 78 48 58 61 72 39 6b 33 4b 4b 34 71 6d 61 35 2f 31 51 7a 6f 75 50 48 59 46 38 51 34 47 6b 6a 4b 62 47 45 51 51 71 45 6f 56 48 35 53 37 54 46 4d 6c 6f 6c 4a 5a 4a 63 6d 58 66 33 41 39 34 79 30 33 53 45 72 74 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VmvFZPqzq7VveYk3xHXar9k3KK4qma5/1QzouPHYF8Q4GkjKbGEQQqEoVH5S7TFMlolJZJcmXf3A94y03SErtQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:01:16.636728048 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmIxYzdkMTUtNjRlNC00MDNjLTk2MGUtMTRlZjdhMjUxOGUxIiwicGFnZV90aW1lIjoxNzM2ODkyMDc2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	199.59.243.228	80	4308	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:16.826224089 CET	231	OUT	GET /?subid1=20250115-0901-1690-be53-cf6353b68d38 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=4d94cd22-7172-4f4b-ac4b-b562938e91cd
Jan 14, 2025 23:01:17.306843042 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:16 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 0f3f2500-3968-40b2-bf76-9bda12e1951a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_G6X7Xgxlmtr1/YyeEI9UVXlp1c8F8BKDPZ2Bxa3FlSuj1dOrYft3PAaWm21Z7hAzLQrvvIEyzeb5tZ1u2I47GQ== set-cookie: parking_session=4d94cd22-7172-4f4b-ac4b-b562938e91cd; expires=Tue, 14 Jan 2025 22:16:17 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 47 36 58 37 58 67 78 6c 6d 74 72 31 2f 59 79 65 45 49 39 55 56 58 6c 70 31 63 38 46 38 42 4b 44 50 5a 32 42 78 61 33 46 6c 53 75 6a 31 64 4f 72 59 66 74 33 50 41 61 57 6d 32 31 5a 37 68 41 7a 4c 51 72 76 76 49 45 79 7a 65 62 35 74 5a 31 75 32 49 34 37 47 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_G6X7Xgxlmtr1/YyeEI9UVXlp1c8F8BKDPZ2Bxa3FlSuj1dOrYft3PAaWm21Z7hAzLQrvvIEyzeb5tZ1u2I47GQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 23:01:17.306930065 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGQ5NGNkMjItNzE3Mi00ZjRiLWFjNGItYjU2MjkzOGU5MWNkIiwicGFnZV90aW1lIjoxNzM2ODkyMDc3LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	17:01:12
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll"
Imagebase:	0xc00000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:01:12
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:01:12
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:01:12
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F1G5BkUV74.dll,PlayGame
Imagebase:	0xed0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:01:12
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",#1
Imagebase:	0xed0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:01:12
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	B6FB8BD123BD0C46CC1A17A2775569B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2138325687.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2138475485.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	B6FB8BD123BD0C46CC1A17A2775569B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2159921750.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2160091492.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2811407590.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2811667868.0000000002289000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:01:15
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F1G5BkUV74.dll",PlayGame
Imagebase:	0xed0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:01:15
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	B6FB8BD123BD0C46CC1A17A2775569B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2180600297.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2166423022.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.2180869415.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.2166574192.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D
D, xrefs: 00407ED3
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000006.00000002.2173615196.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2173598319.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173635545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173694782.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2173615196.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2173598319.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173635545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173694782.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2173615196.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2173598319.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173635545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173694782.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000006.00000002.2173615196.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2173598319.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173635545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173694782.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2173615196.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2173598319.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173635545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173651265.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173694782.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2173785184.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 6448, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2810190714.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2810158904.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810206038.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810272136.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810286991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2810190714.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2810158904.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810206038.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810272136.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810286991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000007.00000002.2810190714.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2810158904.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810206038.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810272136.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810286991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

/i, xrefs: 00407E8D
CreateFileA, xrefs: 00407D0F
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000007.00000002.2810190714.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2810158904.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810206038.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810272136.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810286991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2810190714.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2810158904.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810206038.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810219864.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810257698.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810272136.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810286991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2810402637.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F1G5BkUV74.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
F1G5BkUV74.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON