Edit tour

Windows Analysis Report
D3W41IdtQA.dll

Overview

General Information

Sample name:	D3W41IdtQA.dll renamed because original name is a hash value
Original sample name:	fdcac773c1bae1197a3b30bc0e44bf4d.dll
Analysis ID:	1591388
MD5:	fdcac773c1bae1197a3b30bc0e44bf4d
SHA1:	11c157aa6e5e81f06b4075da79ba6871c8d99362
SHA256:	2bb25bfd55561e547c27fce2e29208f5255e3e121ff405ad154ad413fda59b20
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2800 cmdline: loaddll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4612 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5052 cmdline: rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6052 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 8FFE5EAA2C7E7B68B68F70F7B2456C42)

rundll32.exe (PID: 5348 cmdline: rundll32.exe C:\Users\user\Desktop\D3W41IdtQA.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2796 cmdline: rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 3252 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 8FFE5EAA2C7E7B68B68F70F7B2456C42)

mssecsvr.exe (PID: 3480 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 8FFE5EAA2C7E7B68B68F70F7B2456C42)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
D3W41IdtQA.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
D3W41IdtQA.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
D3W41IdtQA.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.2078455711.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2087741306.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.2059116845.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2100501122.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 6052	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3480	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3252	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
9.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
9.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d7a128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.1d7a128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.226f8c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.22a196c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.22a196c.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d48084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
9.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.22a196c.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22a196c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.22a196c.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
9.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d7a128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d7a128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.1d7a128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d57104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d57104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d57104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d57104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.227e948.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227e948.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.227e948.6.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.227e948.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d48084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d48084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d48084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.226f8c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.226f8c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.226f8c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d57104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d57104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d57104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.227e948.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227e948.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.227e948.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.227a8e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227a8e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.227a8e8.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d530a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d530a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d530a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:34:07.495531+0100	2803304	3	Unknown Traffic	192.168.2.5	49704	103.224.212.215	80	TCP
2025-01-14T23:34:09.108444+0100	2803304	3	Unknown Traffic	192.168.2.5	49706	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:34:06.539483+0100	2830018	1	A Network Trojan was detected	192.168.2.5	54804	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: D3W41IdtQA.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033a7	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd529f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d9	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d94b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd52	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.=	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 82%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Source: D3W41IdtQA.dll	ReversingLabs: Detection: 88%
Source: D3W41IdtQA.dll	Virustotal: Detection: 91%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: D3W41IdtQA.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: D3W41IdtQA.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.5:54804 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.5:53091 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0934-0711-a4e9-cbca1637d94b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0934-0970-8cc9-73b029fd529f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736894047.2350906
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0934-09e1-a4d8-9386228033a7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=85d71e1c-462c-4976-95fa-24291f75e090

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.236
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.236
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.236
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.236
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 22.33.251.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 69.124.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 58.192.79.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.177
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.177
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.177
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.177
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.33.155.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0934-0711-a4e9-cbca1637d94b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0934-0970-8cc9-73b029fd529f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736894047.2350906
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0934-09e1-a4d8-9386228033a7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=85d71e1c-462c-4976-95fa-24291f75e090

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.=
Source: mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d9
Source: mssecsvr.exe, 00000007.00000002.2727735828.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd52
Source: mssecsvr.exe, 00000009.00000002.2100882934.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033
Source: D3W41IdtQA.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000005.00000002.2093415312.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2100882934.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2100882934.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2100882934.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.2093415312.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/5
Source: mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/;
Source: mssecsvr.exe, 00000009.00000002.2100882934.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/c
Source: mssecsvr.exe, 00000007.00000002.2727735828.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/o
Source: mssecsvr.exe, 00000007.00000002.2727735828.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r
Source: mssecsvr.exe, 00000009.00000002.2100882934.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com?
Source: mssecsvr.exe, 00000007.00000002.2727355330.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000005.00000002.2093415312.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comi

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: D3W41IdtQA.dll, type: SAMPLE
Source: Yara match	File source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.22a196c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d7a128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d48084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.226f8c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d57104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227e948.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227a8e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d530a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.2078455711.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2087741306.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2059116845.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2100501122.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: D3W41IdtQA.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: D3W41IdtQA.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d7a128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d7a128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.226f8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22a196c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22a196c.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d48084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22a196c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22a196c.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d7a128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d7a128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d48084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d48084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.226f8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.226f8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d57104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d57104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.227e948.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227e948.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.227a8e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227a8e8.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d530a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d530a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: Joe Sandbox View	Dropped File: C:\WINDOWS\qeriuwjhrf (copy) F5D803CFAC34984BA4083EFE107652B387B5F807B84B9CF15B255CA59287DCB9
Source: Joe Sandbox View	Dropped File: C:\Windows\tasksche.exe F5D803CFAC34984BA4083EFE107652B387B5F807B84B9CF15B255CA59287DCB9

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: D3W41IdtQA.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: D3W41IdtQA.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: D3W41IdtQA.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d7a128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d7a128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.226f8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22a196c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22a196c.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d48084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22a196c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22a196c.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d7a128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d7a128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d57104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.227e948.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d48084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d48084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.226f8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.226f8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d57104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d57104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.227e948.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227e948.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.227a8e8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227a8e8.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d530a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d530a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.5.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: D3W41IdtQA.dll, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@3/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		7_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03

Source: D3W41IdtQA.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3W41IdtQA.dll,PlayGame

Source: D3W41IdtQA.dll	ReversingLabs: Detection: 88%
Source: D3W41IdtQA.dll	Virustotal: Detection: 91%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3W41IdtQA.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3W41IdtQA.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: D3W41IdtQA.dll

Static file information: File size 5267459 > 1048576

Source: D3W41IdtQA.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.5.dr

Static PE information: section name: .text entropy: 7.663042758896975

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 1856	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1856	Thread sleep time: -194000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2824	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2824	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1856	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000009.00000002.2100882934.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: mssecsvr.exe, 00000005.00000002.2093415312.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2093415312.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2727735828.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2100882934.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2100882934.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000007.00000002.2727735828.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHx

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
D3W41IdtQA.dll	88%	ReversingLabs	Win32.Ransomware.WannaCry
D3W41IdtQA.dll	92%	Virustotal		Browse
D3W41IdtQA.dll	100%	Avira	TR/AD.WannaCry.ghwow
D3W41IdtQA.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	83%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	83%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comi	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033a7	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd529f	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d9	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d94b	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd52	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.=	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
15.164.165.52.in-addr.arpa	unknown	unknown	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033a7	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d94b	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd529f	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/o	mssecsvr.exe, 00000007.00000002.2727735828.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	D3W41IdtQA.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d9	mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/c	mssecsvr.exe, 00000009.00000002.2100882934.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comi	mssecsvr.exe, 00000005.00000002.2093415312.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/;	mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000007.00000002.2727355330.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033	mssecsvr.exe, 00000009.00000002.2100882934.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/5	mssecsvr.exe, 00000005.00000002.2093415312.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r	mssecsvr.exe, 00000007.00000002.2727735828.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd52	mssecsvr.exe, 00000007.00000002.2727735828.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2091989361.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com?	mssecsvr.exe, 00000009.00000002.2100882934.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.=	mssecsvr.exe, 00000005.00000002.2093415312.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
160.234.246.195	unknown	unknown	11259	ANGOLATELECOMAO	false
198.241.75.224	unknown	United States	14242	AS-NETBLK-COCUS	false
124.94.33.112	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
153.5.218.1	unknown	Slovenia	2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	false
133.205.133.214	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
160.234.246.1	unknown	unknown	11259	ANGOLATELECOMAO	false
161.190.209.78	unknown	Argentina	13474	BancodeGaliciayBuenosAiresAR	false
60.43.125.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
194.204.94.1	unknown	Switzerland	30862	ATOS-CH-ASCH	false
119.11.25.6	unknown	Australia	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
190.175.99.1	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
145.214.61.1	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
58.192.79.1	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
58.192.79.2	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
164.159.211.1	unknown	United States	22284	AS22284-DOI-OPSUS	false
58.192.79.5	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
108.170.252.106	unknown	United States	15169	GOOGLEUS	false
69.170.172.1	unknown	United States	32035	CCDT-ASUS	false
202.122.32.233	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
123.102.22.1	unknown	Australia	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591388
Start date and time:	2025-01-14 23:33:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D3W41IdtQA.dll renamed because original name is a hash value
Original Sample Name:	fdcac773c1bae1197a3b30bc0e44bf4d.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@3/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 2.17.190.73, 13.107.246.45, 4.245.163.56, 52.165.164.15, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:34:08	API Interceptor	1x Sleep call for process: loaddll32.exe modified
17:34:43	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARNES-NETAcademicandResearchNetworkofSloveniaSI	https://bonnpwqy.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	193.3.19.74
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	193.3.19.74
	miori.arm.elf	Get hash	malicious	Unknown	Browse	109.127.255.133
	https://bit.ly/3VYGxmh	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	193.3.19.63
	fuckunix.sh4.elf	Get hash	malicious	Mirai	Browse	95.87.163.30
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	armv7l.elf	Get hash	malicious	Unknown	Browse	149.62.103.197
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	39.80.197.203
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	27.219.109.201
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	182.119.252.121
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	42.63.214.1
	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse	27.11.108.236
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	39.74.29.1
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	116.178.208.121
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	61.167.78.49
	meth10.elf	Get hash	malicious	Mirai	Browse	60.16.183.30
	meth3.elf	Get hash	malicious	Mirai	Browse	157.2.250.223
ANGOLATELECOMAO	meth7.elf	Get hash	malicious	Mirai	Browse	197.216.246.233
	elitebotnet.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	197.217.148.152
	3.elf	Get hash	malicious	Unknown	Browse	197.217.236.126
	3.elf	Get hash	malicious	Unknown	Browse	160.236.42.51
	5.elf	Get hash	malicious	Unknown	Browse	160.225.206.82
	3.elf	Get hash	malicious	Unknown	Browse	197.217.101.163
	3.elf	Get hash	malicious	Unknown	Browse	197.217.236.158
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	160.224.189.110
	sora.mips.elf	Get hash	malicious	Unknown	Browse	160.241.234.5
	6.elf	Get hash	malicious	Unknown	Browse	197.217.101.144
AS-NETBLK-COCUS	jew.ppc.elf	Get hash	malicious	Unknown	Browse	198.241.106.85
	i586.elf	Get hash	malicious	Unknown	Browse	198.241.72.113
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	198.241.118.57
	na.elf	Get hash	malicious	Mirai	Browse	198.241.106.93
	na.elf	Get hash	malicious	Mirai	Browse	198.241.94.215
	EWqGQSXGXE.elf	Get hash	malicious	Mirai	Browse	198.241.118.61
	w4Jz8NeRDg.elf	Get hash	malicious	Mirai	Browse	198.241.119.125
	sora.arm	Get hash	malicious	Mirai	Browse	198.241.106.95

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\WINDOWS\qeriuwjhrf (copy)	Lsw2Eccslw.dll	Get hash	malicious	Wannacry	Browse
C:\Windows\tasksche.exe	Lsw2Eccslw.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	6.892941721428807
Encrypted:	false
SSDEEP:	49152:SEMSPbcBVQejy+TSqTdX1HkQo6SAARdhnr:ZPoBhOcSUDk36SAEdhr
MD5:	3F2ADB09EAFA948E37AFF583456E5CA6
SHA1:	75FCB7D65348AF54E34DC85B6A9CC9215897B569
SHA-256:	F5D803CFAC34984BA4083EFE107652B387B5F807B84B9CF15B255CA59287DCB9
SHA-512:	6822D277E66D6532AF802531C8FB71D7559AF3CCB5742DFD2C76A806907C786CA324933E2AEB856015F2F5A3628F74E178B878FB053AECF07BE8B19F2A6EC19E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: Lsw2Eccslw.dll, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	6.892941721428807
Encrypted:	false
SSDEEP:	49152:SEMSPbcBVQejy+TSqTdX1HkQo6SAARdhnr:ZPoBhOcSUDk36SAEdhr
MD5:	3F2ADB09EAFA948E37AFF583456E5CA6
SHA1:	75FCB7D65348AF54E34DC85B6A9CC9215897B569
SHA-256:	F5D803CFAC34984BA4083EFE107652B387B5F807B84B9CF15B255CA59287DCB9
SHA-512:	6822D277E66D6532AF802531C8FB71D7559AF3CCB5742DFD2C76A806907C786CA324933E2AEB856015F2F5A3628F74E178B878FB053AECF07BE8B19F2A6EC19E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: Lsw2Eccslw.dll, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.541772688125557
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	D3W41IdtQA.dll
File size:	5'267'459 bytes
MD5:	fdcac773c1bae1197a3b30bc0e44bf4d
SHA1:	11c157aa6e5e81f06b4075da79ba6871c8d99362
SHA256:	2bb25bfd55561e547c27fce2e29208f5255e3e121ff405ad154ad413fda59b20
SHA512:	75d6390da0c7a75fbf404d63a67061eec25628f291b34057acf6b3e3acc565600f61aba3e64924759b0e57c8cba7f9c8c9fa3f2dce710e2fe1dc696f3104c6e7
SSDEEP:	49152:RnsEMSPbcBVQejy+TSqTdX1HkQo6SAARdhn:1fPoBhOcSUDk36SAEdh
TLSH:	BB36239871BC81F8C10929B458A7C636B2B27C6921FE960FDBD09D573D33B45FB90A42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F88806D7F8Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F88806D7FA8h
cmp esi, 01h
je 00007F88806D7F87h
cmp esi, 02h
jne 00007F88806D7FA4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F88806D7F8Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F88806D7F8Eh
push edi
push esi
push ebx
call 00007F88806D7E9Ah
test eax, eax
jne 00007F88806D7F86h
xor eax, eax
jmp 00007F88806D7FD0h
push edi
push esi
push ebx
call 00007F88806D7D4Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F88806D7F8Eh
test eax, eax
jne 00007F88806D7FB9h
push edi
push eax
push ebx
call 00007F88806D7E76h
test esi, esi
je 00007F88806D7F87h
cmp esi, 03h
jne 00007F88806D7FA8h
push edi
push esi
push ebx
call 00007F88806D7E65h
test eax, eax
jne 00007F88806D7F85h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F88806D7F93h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F88806D7F8Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	639499d4452b5edfd558bd8dc5528183	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8792247772216797

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T23:34:06.539483+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.5	54804	1.1.1.1	53	UDP
2025-01-14T23:34:07.495531+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49704	103.224.212.215	80	TCP
2025-01-14T23:34:09.108444+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49706	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:34:01.137903929 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:01.137970924 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:01.247339964 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:06.853458881 CET	49704	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:06.858524084 CET	80	49704	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:06.858606100 CET	49704	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:06.858745098 CET	49704	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:06.863624096 CET	80	49704	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:07.495368004 CET	80	49704	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:07.495429039 CET	80	49704	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:07.495531082 CET	49704	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:07.500386953 CET	49704	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:07.505219936 CET	80	49704	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:07.835021973 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:07.840054035 CET	80	49705	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:07.840364933 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:07.840545893 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:07.845426083 CET	80	49705	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:08.296755075 CET	80	49705	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:08.296819925 CET	80	49705	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:08.296960115 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:08.296961069 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:08.302416086 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:08.302416086 CET	49705	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:08.458861113 CET	49706	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:08.463879108 CET	80	49706	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:08.463973045 CET	49706	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:08.464134932 CET	49706	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:08.468971968 CET	80	49706	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:09.108202934 CET	80	49706	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:09.108262062 CET	80	49706	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:09.108443975 CET	49706	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:09.108443975 CET	49706	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:09.111191988 CET	49706	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:09.112102032 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.116401911 CET	80	49706	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:09.117468119 CET	80	49707	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:09.117577076 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.117826939 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.122756004 CET	80	49707	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:09.395297050 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:09.400718927 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:09.400924921 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:09.401051044 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:09.406322956 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:09.661906004 CET	80	49707	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:09.661964893 CET	80	49707	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:09.662003994 CET	80	49707	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:09.662101984 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.662102938 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.662102938 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.668781996 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.668781996 CET	49707	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:09.700109005 CET	49709	445	192.168.2.5	22.33.251.236
Jan 14, 2025 23:34:09.705248117 CET	445	49709	22.33.251.236	192.168.2.5
Jan 14, 2025 23:34:09.705349922 CET	49709	445	192.168.2.5	22.33.251.236
Jan 14, 2025 23:34:09.706078053 CET	49709	445	192.168.2.5	22.33.251.236
Jan 14, 2025 23:34:09.710995913 CET	445	49709	22.33.251.236	192.168.2.5
Jan 14, 2025 23:34:09.711107016 CET	49709	445	192.168.2.5	22.33.251.236
Jan 14, 2025 23:34:09.712258101 CET	49710	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.717180967 CET	445	49710	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:09.717262030 CET	49710	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.717329025 CET	49710	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.720915079 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.722606897 CET	445	49710	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:09.722662926 CET	49710	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.725799084 CET	445	49711	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:09.725864887 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.725909948 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:09.730741978 CET	445	49711	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:10.014123917 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:10.014183998 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:10.014305115 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:10.014305115 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:10.016124964 CET	49708	80	192.168.2.5	103.224.212.215
Jan 14, 2025 23:34:10.016942024 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.021230936 CET	80	49708	103.224.212.215	192.168.2.5
Jan 14, 2025 23:34:10.022288084 CET	80	49717	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:10.022365093 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.022483110 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.027369022 CET	80	49717	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:10.486355066 CET	80	49717	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:10.486418009 CET	80	49717	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:10.486690044 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.486690044 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.490458012 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.490458012 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.495932102 CET	80	49717	199.59.243.228	192.168.2.5
Jan 14, 2025 23:34:10.496037960 CET	49717	80	192.168.2.5	199.59.243.228
Jan 14, 2025 23:34:10.747267008 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:10.747286081 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:10.856796026 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:11.702397108 CET	49735	445	192.168.2.5	69.124.198.19
Jan 14, 2025 23:34:11.707535982 CET	445	49735	69.124.198.19	192.168.2.5
Jan 14, 2025 23:34:11.707631111 CET	49735	445	192.168.2.5	69.124.198.19
Jan 14, 2025 23:34:11.707676888 CET	49735	445	192.168.2.5	69.124.198.19
Jan 14, 2025 23:34:11.707854033 CET	49736	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.712775946 CET	445	49736	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:11.712809086 CET	445	49735	69.124.198.19	192.168.2.5
Jan 14, 2025 23:34:11.712865114 CET	49736	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.712882996 CET	49735	445	192.168.2.5	69.124.198.19
Jan 14, 2025 23:34:11.712945938 CET	49736	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.713912964 CET	49737	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.717915058 CET	445	49736	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:11.717989922 CET	49736	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.718832970 CET	445	49737	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:11.718913078 CET	49737	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.719055891 CET	49737	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:11.723845959 CET	445	49737	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:12.502971888 CET	443	49703	23.1.237.91	192.168.2.5
Jan 14, 2025 23:34:12.503226042 CET	49703	443	192.168.2.5	23.1.237.91
Jan 14, 2025 23:34:13.717722893 CET	49759	445	192.168.2.5	58.192.79.5
Jan 14, 2025 23:34:13.723206997 CET	445	49759	58.192.79.5	192.168.2.5
Jan 14, 2025 23:34:13.723304987 CET	49759	445	192.168.2.5	58.192.79.5
Jan 14, 2025 23:34:13.723463058 CET	49759	445	192.168.2.5	58.192.79.5
Jan 14, 2025 23:34:13.727483988 CET	49760	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:13.729762077 CET	445	49759	58.192.79.5	192.168.2.5
Jan 14, 2025 23:34:13.729933023 CET	49759	445	192.168.2.5	58.192.79.5
Jan 14, 2025 23:34:13.733859062 CET	445	49760	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:13.734095097 CET	49760	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:13.734095097 CET	49760	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:13.735383987 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:13.741431952 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:13.741544008 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:13.741544008 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:13.745919943 CET	445	49760	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:13.748131990 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:13.751473904 CET	445	49760	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:13.751677990 CET	49760	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:15.732878923 CET	49782	445	192.168.2.5	163.33.155.177
Jan 14, 2025 23:34:15.739710093 CET	445	49782	163.33.155.177	192.168.2.5
Jan 14, 2025 23:34:15.739794970 CET	49782	445	192.168.2.5	163.33.155.177
Jan 14, 2025 23:34:15.739859104 CET	49782	445	192.168.2.5	163.33.155.177
Jan 14, 2025 23:34:15.740169048 CET	49783	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.745320082 CET	445	49783	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:15.745392084 CET	49783	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.745451927 CET	49783	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.745651960 CET	445	49782	163.33.155.177	192.168.2.5
Jan 14, 2025 23:34:15.746541977 CET	49784	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.751555920 CET	445	49782	163.33.155.177	192.168.2.5
Jan 14, 2025 23:34:15.751610041 CET	445	49783	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:15.751610994 CET	49782	445	192.168.2.5	163.33.155.177
Jan 14, 2025 23:34:15.751668930 CET	49783	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.751979113 CET	445	49784	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:15.752051115 CET	49784	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.752089977 CET	49784	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:15.756961107 CET	445	49784	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:17.748210907 CET	49806	445	192.168.2.5	115.64.228.169
Jan 14, 2025 23:34:17.753403902 CET	445	49806	115.64.228.169	192.168.2.5
Jan 14, 2025 23:34:17.753509045 CET	49806	445	192.168.2.5	115.64.228.169
Jan 14, 2025 23:34:17.753570080 CET	49806	445	192.168.2.5	115.64.228.169
Jan 14, 2025 23:34:17.753750086 CET	49807	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.758588076 CET	445	49806	115.64.228.169	192.168.2.5
Jan 14, 2025 23:34:17.758621931 CET	445	49807	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:17.758651972 CET	49806	445	192.168.2.5	115.64.228.169
Jan 14, 2025 23:34:17.758687019 CET	49807	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.758743048 CET	49807	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.759475946 CET	49808	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.763736963 CET	445	49807	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:17.764060974 CET	49807	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.764347076 CET	445	49808	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:17.764420986 CET	49808	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.764460087 CET	49808	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:17.769335032 CET	445	49808	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:19.763997078 CET	49831	445	192.168.2.5	74.178.121.222
Jan 14, 2025 23:34:19.769540071 CET	445	49831	74.178.121.222	192.168.2.5
Jan 14, 2025 23:34:19.769673109 CET	49831	445	192.168.2.5	74.178.121.222
Jan 14, 2025 23:34:19.769818068 CET	49831	445	192.168.2.5	74.178.121.222
Jan 14, 2025 23:34:19.769944906 CET	49832	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.775141001 CET	445	49832	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:19.775185108 CET	445	49831	74.178.121.222	192.168.2.5
Jan 14, 2025 23:34:19.775234938 CET	49832	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.775266886 CET	49831	445	192.168.2.5	74.178.121.222
Jan 14, 2025 23:34:19.775281906 CET	49832	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.776036024 CET	49833	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.780436039 CET	445	49832	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:19.780508041 CET	49832	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.780961990 CET	445	49833	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:19.781048059 CET	49833	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.781120062 CET	49833	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:19.785933018 CET	445	49833	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:21.780003071 CET	49857	445	192.168.2.5	167.175.169.112
Jan 14, 2025 23:34:21.784936905 CET	445	49857	167.175.169.112	192.168.2.5
Jan 14, 2025 23:34:21.785017967 CET	49857	445	192.168.2.5	167.175.169.112
Jan 14, 2025 23:34:21.785168886 CET	49857	445	192.168.2.5	167.175.169.112
Jan 14, 2025 23:34:21.785295963 CET	49858	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.789998055 CET	445	49857	167.175.169.112	192.168.2.5
Jan 14, 2025 23:34:21.790067911 CET	49857	445	192.168.2.5	167.175.169.112
Jan 14, 2025 23:34:21.790297985 CET	445	49858	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:21.790384054 CET	49858	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.790384054 CET	49858	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.790900946 CET	49859	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.795371056 CET	445	49858	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:21.795443058 CET	49858	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.795768976 CET	445	49859	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:21.795852900 CET	49859	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.795896053 CET	49859	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:21.800704956 CET	445	49859	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:23.795387983 CET	49891	445	192.168.2.5	133.205.133.214
Jan 14, 2025 23:34:23.800276041 CET	445	49891	133.205.133.214	192.168.2.5
Jan 14, 2025 23:34:23.800360918 CET	49891	445	192.168.2.5	133.205.133.214
Jan 14, 2025 23:34:23.800405979 CET	49891	445	192.168.2.5	133.205.133.214
Jan 14, 2025 23:34:23.800524950 CET	49892	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.805349112 CET	445	49892	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:23.805401087 CET	445	49891	133.205.133.214	192.168.2.5
Jan 14, 2025 23:34:23.805449963 CET	49892	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.805471897 CET	49891	445	192.168.2.5	133.205.133.214
Jan 14, 2025 23:34:23.805529118 CET	49892	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.805762053 CET	49893	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.810493946 CET	445	49892	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:23.810570955 CET	49892	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.810632944 CET	445	49893	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:23.810695887 CET	49893	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.810724020 CET	49893	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:23.815536022 CET	445	49893	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:25.812119007 CET	49927	445	192.168.2.5	148.13.134.185
Jan 14, 2025 23:34:25.817002058 CET	445	49927	148.13.134.185	192.168.2.5
Jan 14, 2025 23:34:25.817269087 CET	49927	445	192.168.2.5	148.13.134.185
Jan 14, 2025 23:34:25.817358017 CET	49927	445	192.168.2.5	148.13.134.185
Jan 14, 2025 23:34:25.817466974 CET	49928	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.822276115 CET	445	49928	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:25.822344065 CET	49928	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.822371960 CET	445	49927	148.13.134.185	192.168.2.5
Jan 14, 2025 23:34:25.822431087 CET	49927	445	192.168.2.5	148.13.134.185
Jan 14, 2025 23:34:25.822482109 CET	49928	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.823576927 CET	49929	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.827337980 CET	445	49928	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:25.827395916 CET	49928	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.828455925 CET	445	49929	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:25.828536034 CET	49929	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.828787088 CET	49929	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:25.833589077 CET	445	49929	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:27.825957060 CET	49963	445	192.168.2.5	161.190.209.78
Jan 14, 2025 23:34:27.830730915 CET	445	49963	161.190.209.78	192.168.2.5
Jan 14, 2025 23:34:27.831332922 CET	49963	445	192.168.2.5	161.190.209.78
Jan 14, 2025 23:34:27.831362009 CET	49963	445	192.168.2.5	161.190.209.78
Jan 14, 2025 23:34:27.831568003 CET	49964	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.836256027 CET	445	49963	161.190.209.78	192.168.2.5
Jan 14, 2025 23:34:27.836394072 CET	445	49964	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:27.836550951 CET	49963	445	192.168.2.5	161.190.209.78
Jan 14, 2025 23:34:27.836584091 CET	49964	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.836669922 CET	49964	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.836961031 CET	49965	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.841516972 CET	445	49964	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:27.841734886 CET	445	49965	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:27.841805935 CET	49964	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.841828108 CET	49965	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.841862917 CET	49965	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:27.846628904 CET	445	49965	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:29.841322899 CET	49997	445	192.168.2.5	202.122.32.233
Jan 14, 2025 23:34:29.846501112 CET	445	49997	202.122.32.233	192.168.2.5
Jan 14, 2025 23:34:29.846575975 CET	49997	445	192.168.2.5	202.122.32.233
Jan 14, 2025 23:34:29.846590042 CET	49997	445	192.168.2.5	202.122.32.233
Jan 14, 2025 23:34:29.846720934 CET	49998	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:29.851737022 CET	445	49998	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:29.851747990 CET	445	49997	202.122.32.233	192.168.2.5
Jan 14, 2025 23:34:29.851808071 CET	49997	445	192.168.2.5	202.122.32.233
Jan 14, 2025 23:34:29.852020025 CET	49998	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:29.852051020 CET	49999	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:29.856885910 CET	445	49999	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:29.856956005 CET	49999	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:29.856998920 CET	49999	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:29.857078075 CET	445	49998	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:29.857132912 CET	49998	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:29.861794949 CET	445	49999	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:31.423824072 CET	445	49711	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:31.423906088 CET	445	49711	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:31.423903942 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:31.423964024 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:31.424086094 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:31.424086094 CET	49711	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:31.433036089 CET	445	49711	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:31.433084965 CET	445	49711	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:31.857150078 CET	50030	445	192.168.2.5	60.43.125.135
Jan 14, 2025 23:34:31.862562895 CET	445	50030	60.43.125.135	192.168.2.5
Jan 14, 2025 23:34:31.862777948 CET	50030	445	192.168.2.5	60.43.125.135
Jan 14, 2025 23:34:31.862777948 CET	50030	445	192.168.2.5	60.43.125.135
Jan 14, 2025 23:34:31.862899065 CET	50032	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.868035078 CET	445	50030	60.43.125.135	192.168.2.5
Jan 14, 2025 23:34:31.868067980 CET	445	50032	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:31.868177891 CET	50032	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.868230104 CET	50030	445	192.168.2.5	60.43.125.135
Jan 14, 2025 23:34:31.868258953 CET	50032	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.868496895 CET	50033	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.873357058 CET	445	50032	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:31.873414040 CET	445	50033	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:31.873565912 CET	50032	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.873621941 CET	50033	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.873621941 CET	50033	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:31.878513098 CET	445	50033	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:33.094825029 CET	445	49737	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:33.094917059 CET	49737	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:33.095007896 CET	49737	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:33.095009089 CET	49737	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:33.099817038 CET	445	49737	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:33.100018024 CET	445	49737	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:33.872967005 CET	50065	445	192.168.2.5	198.241.75.224
Jan 14, 2025 23:34:34.082715034 CET	445	50065	198.241.75.224	192.168.2.5
Jan 14, 2025 23:34:34.082897902 CET	50065	445	192.168.2.5	198.241.75.224
Jan 14, 2025 23:34:34.082993984 CET	50065	445	192.168.2.5	198.241.75.224
Jan 14, 2025 23:34:34.083005905 CET	50069	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.087850094 CET	445	50069	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:34.087955952 CET	50069	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.087955952 CET	50069	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.088162899 CET	445	50065	198.241.75.224	192.168.2.5
Jan 14, 2025 23:34:34.088217974 CET	50065	445	192.168.2.5	198.241.75.224
Jan 14, 2025 23:34:34.088324070 CET	50070	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.092993975 CET	445	50069	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:34.093056917 CET	50069	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.093081951 CET	445	50070	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:34.093147993 CET	50070	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.093161106 CET	50070	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:34.097943068 CET	445	50070	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:34.435226917 CET	50079	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:34.440187931 CET	445	50079	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:34.440314054 CET	50079	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:34.440377951 CET	50079	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:34.445142984 CET	445	50079	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:35.888559103 CET	50084	445	192.168.2.5	164.159.211.90
Jan 14, 2025 23:34:36.107114077 CET	50085	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:36.204130888 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.204253912 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:36.204324961 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:36.204325914 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.204385042 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:36.204385042 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:36.204535961 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.204615116 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:36.204989910 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.205039978 CET	49761	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:36.206163883 CET	445	50084	164.159.211.90	192.168.2.5
Jan 14, 2025 23:34:36.206175089 CET	445	50085	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:36.206237078 CET	50084	445	192.168.2.5	164.159.211.90
Jan 14, 2025 23:34:36.206271887 CET	50085	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:36.206309080 CET	50084	445	192.168.2.5	164.159.211.90
Jan 14, 2025 23:34:36.206379890 CET	50085	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:36.206512928 CET	50086	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.209233999 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.209247112 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.209254980 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.209357977 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.209831953 CET	445	49761	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:36.213992119 CET	445	50085	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:36.214001894 CET	445	50086	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:36.214052916 CET	445	50084	164.159.211.90	192.168.2.5
Jan 14, 2025 23:34:36.214075089 CET	50086	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.214103937 CET	50084	445	192.168.2.5	164.159.211.90
Jan 14, 2025 23:34:36.214179993 CET	50086	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.214473009 CET	50088	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.219300032 CET	445	50088	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:36.219383955 CET	50088	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.219419956 CET	445	50086	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:36.219469070 CET	50088	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.219484091 CET	50086	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:36.226038933 CET	445	50088	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:36.614630938 CET	53091	53	192.168.2.5	162.159.36.2
Jan 14, 2025 23:34:36.619507074 CET	53	53091	162.159.36.2	192.168.2.5
Jan 14, 2025 23:34:36.619592905 CET	53091	53	192.168.2.5	162.159.36.2
Jan 14, 2025 23:34:36.624398947 CET	53	53091	162.159.36.2	192.168.2.5
Jan 14, 2025 23:34:37.067817926 CET	53091	53	192.168.2.5	162.159.36.2
Jan 14, 2025 23:34:37.072926998 CET	53	53091	162.159.36.2	192.168.2.5
Jan 14, 2025 23:34:37.072999954 CET	53091	53	192.168.2.5	162.159.36.2
Jan 14, 2025 23:34:37.125796080 CET	445	49784	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:37.125957966 CET	49784	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:37.125958920 CET	49784	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:37.126147032 CET	49784	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:37.130788088 CET	445	49784	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:37.130930901 CET	445	49784	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:37.904041052 CET	53100	445	192.168.2.5	83.169.224.247
Jan 14, 2025 23:34:37.908823013 CET	445	53100	83.169.224.247	192.168.2.5
Jan 14, 2025 23:34:37.908938885 CET	53100	445	192.168.2.5	83.169.224.247
Jan 14, 2025 23:34:37.908965111 CET	53100	445	192.168.2.5	83.169.224.247
Jan 14, 2025 23:34:37.909087896 CET	53101	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.913886070 CET	445	53100	83.169.224.247	192.168.2.5
Jan 14, 2025 23:34:37.913897991 CET	445	53101	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:37.913937092 CET	53100	445	192.168.2.5	83.169.224.247
Jan 14, 2025 23:34:37.913963079 CET	53101	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.914037943 CET	53101	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.914297104 CET	53102	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.918901920 CET	445	53101	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:37.918962002 CET	53101	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.919068098 CET	445	53102	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:37.919126987 CET	53102	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.919163942 CET	53102	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:37.923916101 CET	445	53102	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:39.141937971 CET	445	49808	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:39.142138004 CET	49808	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:39.142138958 CET	49808	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:39.142235041 CET	49808	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:39.147726059 CET	445	49808	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:39.147736073 CET	445	49808	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:39.216759920 CET	53112	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:39.221659899 CET	445	53112	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:39.223411083 CET	53112	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:39.223474026 CET	53112	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:34:39.228250980 CET	445	53112	58.192.79.1	192.168.2.5
Jan 14, 2025 23:34:39.920150995 CET	53118	445	192.168.2.5	197.111.193.53
Jan 14, 2025 23:34:39.925045013 CET	445	53118	197.111.193.53	192.168.2.5
Jan 14, 2025 23:34:39.926873922 CET	53118	445	192.168.2.5	197.111.193.53
Jan 14, 2025 23:34:39.957207918 CET	53118	445	192.168.2.5	197.111.193.53
Jan 14, 2025 23:34:39.962059021 CET	445	53118	197.111.193.53	192.168.2.5
Jan 14, 2025 23:34:39.962151051 CET	53118	445	192.168.2.5	197.111.193.53
Jan 14, 2025 23:34:39.971812963 CET	53119	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:39.976654053 CET	445	53119	197.111.193.1	192.168.2.5
Jan 14, 2025 23:34:39.976855040 CET	53119	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:39.997998953 CET	53119	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:39.999293089 CET	53120	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:40.002975941 CET	445	53119	197.111.193.1	192.168.2.5
Jan 14, 2025 23:34:40.003062010 CET	53119	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:40.004570961 CET	445	53120	197.111.193.1	192.168.2.5
Jan 14, 2025 23:34:40.004637957 CET	53120	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:40.004693031 CET	53120	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:34:40.009464025 CET	445	53120	197.111.193.1	192.168.2.5
Jan 14, 2025 23:34:40.138305902 CET	53121	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:40.143934965 CET	445	53121	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:40.143997908 CET	53121	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:40.144052029 CET	53121	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:34:40.149827003 CET	445	53121	163.33.155.1	192.168.2.5
Jan 14, 2025 23:34:41.152889013 CET	445	49833	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:41.156867027 CET	49833	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:41.156939983 CET	49833	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:41.156974077 CET	49833	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:41.161809921 CET	445	49833	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:41.161818981 CET	445	49833	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:41.935367107 CET	53136	445	192.168.2.5	153.5.218.251
Jan 14, 2025 23:34:41.940139055 CET	445	53136	153.5.218.251	192.168.2.5
Jan 14, 2025 23:34:41.940221071 CET	53136	445	192.168.2.5	153.5.218.251
Jan 14, 2025 23:34:41.940229893 CET	53136	445	192.168.2.5	153.5.218.251
Jan 14, 2025 23:34:41.940326929 CET	53137	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.945116043 CET	445	53137	153.5.218.1	192.168.2.5
Jan 14, 2025 23:34:41.945200920 CET	53137	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.945200920 CET	53137	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.945322037 CET	445	53136	153.5.218.251	192.168.2.5
Jan 14, 2025 23:34:41.945394993 CET	53136	445	192.168.2.5	153.5.218.251
Jan 14, 2025 23:34:41.945611000 CET	53138	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.950278997 CET	445	53137	153.5.218.1	192.168.2.5
Jan 14, 2025 23:34:41.950339079 CET	53137	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.950385094 CET	445	53138	153.5.218.1	192.168.2.5
Jan 14, 2025 23:34:41.950458050 CET	53138	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.950582027 CET	53138	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:34:41.955298901 CET	445	53138	153.5.218.1	192.168.2.5
Jan 14, 2025 23:34:42.154185057 CET	53141	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:42.159054041 CET	445	53141	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:42.159157038 CET	53141	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:42.159221888 CET	53141	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:34:42.163980007 CET	445	53141	115.64.228.1	192.168.2.5
Jan 14, 2025 23:34:43.137968063 CET	445	49859	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:43.138081074 CET	49859	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:43.138168097 CET	49859	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:43.138168097 CET	49859	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:43.143022060 CET	445	49859	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:43.143034935 CET	445	49859	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:44.169852972 CET	53152	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:44.231309891 CET	445	53152	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:44.231431961 CET	53152	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:44.231523037 CET	53152	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:34:44.236295938 CET	445	53152	74.178.121.1	192.168.2.5
Jan 14, 2025 23:34:45.076067924 CET	53157	445	192.168.2.5	194.204.94.189
Jan 14, 2025 23:34:45.080943108 CET	445	53157	194.204.94.189	192.168.2.5
Jan 14, 2025 23:34:45.081034899 CET	53157	445	192.168.2.5	194.204.94.189
Jan 14, 2025 23:34:45.081058025 CET	53157	445	192.168.2.5	194.204.94.189
Jan 14, 2025 23:34:45.081171989 CET	53158	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.086029053 CET	445	53158	194.204.94.1	192.168.2.5
Jan 14, 2025 23:34:45.086042881 CET	445	53157	194.204.94.189	192.168.2.5
Jan 14, 2025 23:34:45.086117983 CET	53157	445	192.168.2.5	194.204.94.189
Jan 14, 2025 23:34:45.086129904 CET	53158	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.086235046 CET	53158	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.086646080 CET	53159	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.091072083 CET	445	53158	194.204.94.1	192.168.2.5
Jan 14, 2025 23:34:45.091149092 CET	53158	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.091504097 CET	445	53159	194.204.94.1	192.168.2.5
Jan 14, 2025 23:34:45.091573954 CET	53159	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.091614008 CET	53159	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:34:45.096405983 CET	445	53159	194.204.94.1	192.168.2.5
Jan 14, 2025 23:34:45.185400009 CET	445	49893	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:45.185477018 CET	49893	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:45.185509920 CET	49893	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:45.185560942 CET	49893	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:45.190288067 CET	445	49893	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:45.190300941 CET	445	49893	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:45.826209068 CET	53162	445	192.168.2.5	69.170.172.251
Jan 14, 2025 23:34:45.832001925 CET	445	53162	69.170.172.251	192.168.2.5
Jan 14, 2025 23:34:45.832205057 CET	53162	445	192.168.2.5	69.170.172.251
Jan 14, 2025 23:34:45.832206011 CET	53162	445	192.168.2.5	69.170.172.251
Jan 14, 2025 23:34:45.832425117 CET	53163	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.837517977 CET	445	53163	69.170.172.1	192.168.2.5
Jan 14, 2025 23:34:45.837551117 CET	445	53162	69.170.172.251	192.168.2.5
Jan 14, 2025 23:34:45.837620020 CET	53163	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.837790012 CET	53162	445	192.168.2.5	69.170.172.251
Jan 14, 2025 23:34:45.837791920 CET	53163	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.837908983 CET	53164	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.842591047 CET	445	53163	69.170.172.1	192.168.2.5
Jan 14, 2025 23:34:45.842655897 CET	53163	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.842674971 CET	445	53164	69.170.172.1	192.168.2.5
Jan 14, 2025 23:34:45.842735052 CET	53164	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.842763901 CET	53164	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:34:45.848315954 CET	445	53164	69.170.172.1	192.168.2.5
Jan 14, 2025 23:34:46.154131889 CET	53167	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:46.159181118 CET	445	53167	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:46.159632921 CET	53167	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:46.159632921 CET	53167	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:34:46.164530993 CET	445	53167	167.175.169.1	192.168.2.5
Jan 14, 2025 23:34:47.200262070 CET	445	49929	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:47.204880953 CET	49929	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:47.204919100 CET	49929	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:47.204965115 CET	49929	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:47.209839106 CET	445	49929	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:47.209868908 CET	445	49929	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:47.576082945 CET	53178	445	192.168.2.5	215.212.124.8
Jan 14, 2025 23:34:47.581290960 CET	445	53178	215.212.124.8	192.168.2.5
Jan 14, 2025 23:34:47.583409071 CET	53178	445	192.168.2.5	215.212.124.8
Jan 14, 2025 23:34:47.583595991 CET	53178	445	192.168.2.5	215.212.124.8
Jan 14, 2025 23:34:47.583867073 CET	53179	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.588759899 CET	445	53179	215.212.124.1	192.168.2.5
Jan 14, 2025 23:34:47.588956118 CET	53179	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.588959932 CET	445	53178	215.212.124.8	192.168.2.5
Jan 14, 2025 23:34:47.589010954 CET	53179	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.589023113 CET	53178	445	192.168.2.5	215.212.124.8
Jan 14, 2025 23:34:47.589277029 CET	53180	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.593962908 CET	445	53179	215.212.124.1	192.168.2.5
Jan 14, 2025 23:34:47.594121933 CET	445	53180	215.212.124.1	192.168.2.5
Jan 14, 2025 23:34:47.594151020 CET	53179	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.594245911 CET	53180	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.594265938 CET	53180	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:34:47.599077940 CET	445	53180	215.212.124.1	192.168.2.5
Jan 14, 2025 23:34:48.200725079 CET	53185	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:48.205611944 CET	445	53185	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:48.205708981 CET	53185	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:48.205743074 CET	53185	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:34:48.210592031 CET	445	53185	133.205.133.1	192.168.2.5
Jan 14, 2025 23:34:49.185127974 CET	445	49965	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:49.185213089 CET	49965	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:49.185251951 CET	49965	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:49.185278893 CET	49965	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:49.190227985 CET	445	49965	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:49.190258026 CET	445	49965	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:49.216730118 CET	53192	445	192.168.2.5	149.224.92.109
Jan 14, 2025 23:34:49.221647978 CET	445	53192	149.224.92.109	192.168.2.5
Jan 14, 2025 23:34:49.221765041 CET	53192	445	192.168.2.5	149.224.92.109
Jan 14, 2025 23:34:49.221823931 CET	53192	445	192.168.2.5	149.224.92.109
Jan 14, 2025 23:34:49.221966028 CET	53193	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.226855993 CET	445	53193	149.224.92.1	192.168.2.5
Jan 14, 2025 23:34:49.226883888 CET	445	53192	149.224.92.109	192.168.2.5
Jan 14, 2025 23:34:49.226932049 CET	53193	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.226938009 CET	53192	445	192.168.2.5	149.224.92.109
Jan 14, 2025 23:34:49.227001905 CET	53193	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.227327108 CET	53194	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.232002020 CET	445	53193	149.224.92.1	192.168.2.5
Jan 14, 2025 23:34:49.232081890 CET	53193	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.232146978 CET	445	53194	149.224.92.1	192.168.2.5
Jan 14, 2025 23:34:49.232220888 CET	53194	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.232285976 CET	53194	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:34:49.237201929 CET	445	53194	149.224.92.1	192.168.2.5
Jan 14, 2025 23:34:50.216331005 CET	53202	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:50.221518040 CET	445	53202	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:50.222311974 CET	53202	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:50.222342014 CET	53202	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:34:50.227235079 CET	445	53202	148.13.134.1	192.168.2.5
Jan 14, 2025 23:34:50.748954058 CET	53206	445	192.168.2.5	140.174.26.201
Jan 14, 2025 23:34:50.753923893 CET	445	53206	140.174.26.201	192.168.2.5
Jan 14, 2025 23:34:50.754101038 CET	53206	445	192.168.2.5	140.174.26.201
Jan 14, 2025 23:34:50.754118919 CET	53206	445	192.168.2.5	140.174.26.201
Jan 14, 2025 23:34:50.754240036 CET	53207	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.759051085 CET	445	53207	140.174.26.1	192.168.2.5
Jan 14, 2025 23:34:50.759121895 CET	53207	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.759139061 CET	53207	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.759495020 CET	53208	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.761774063 CET	445	53206	140.174.26.201	192.168.2.5
Jan 14, 2025 23:34:50.764358044 CET	445	53208	140.174.26.1	192.168.2.5
Jan 14, 2025 23:34:50.764457941 CET	53208	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.764496088 CET	53208	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.765558004 CET	445	53206	140.174.26.201	192.168.2.5
Jan 14, 2025 23:34:50.765619040 CET	53206	445	192.168.2.5	140.174.26.201
Jan 14, 2025 23:34:50.765681982 CET	445	53207	140.174.26.1	192.168.2.5
Jan 14, 2025 23:34:50.765738010 CET	53207	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:34:50.769263983 CET	445	53208	140.174.26.1	192.168.2.5
Jan 14, 2025 23:34:51.231898069 CET	445	49999	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:51.232304096 CET	49999	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:51.232305050 CET	49999	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:51.232400894 CET	49999	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:51.237351894 CET	445	49999	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:51.237508059 CET	445	49999	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:52.169882059 CET	53218	445	192.168.2.5	145.214.61.104
Jan 14, 2025 23:34:52.174770117 CET	445	53218	145.214.61.104	192.168.2.5
Jan 14, 2025 23:34:52.174901962 CET	53218	445	192.168.2.5	145.214.61.104
Jan 14, 2025 23:34:52.175039053 CET	53218	445	192.168.2.5	145.214.61.104
Jan 14, 2025 23:34:52.175332069 CET	53219	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.180191994 CET	445	53219	145.214.61.1	192.168.2.5
Jan 14, 2025 23:34:52.180274010 CET	53219	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.180422068 CET	53219	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.180599928 CET	53220	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.181792021 CET	445	53218	145.214.61.104	192.168.2.5
Jan 14, 2025 23:34:52.185436010 CET	445	53220	145.214.61.1	192.168.2.5
Jan 14, 2025 23:34:52.185499907 CET	53220	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.185518026 CET	53220	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.185842037 CET	445	53219	145.214.61.1	192.168.2.5
Jan 14, 2025 23:34:52.190334082 CET	445	53220	145.214.61.1	192.168.2.5
Jan 14, 2025 23:34:52.192605972 CET	445	53218	145.214.61.104	192.168.2.5
Jan 14, 2025 23:34:52.192683935 CET	53218	445	192.168.2.5	145.214.61.104
Jan 14, 2025 23:34:52.197174072 CET	445	53219	145.214.61.1	192.168.2.5
Jan 14, 2025 23:34:52.197280884 CET	53219	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:34:52.200720072 CET	53222	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:52.205528021 CET	445	53222	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:52.205596924 CET	53222	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:52.205629110 CET	53222	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:34:52.210477114 CET	445	53222	161.190.209.1	192.168.2.5
Jan 14, 2025 23:34:53.264951944 CET	445	50033	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:53.265218973 CET	50033	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:53.265219927 CET	50033	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:53.265219927 CET	50033	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:53.270225048 CET	445	50033	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:53.270255089 CET	445	50033	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:53.497905970 CET	53231	445	192.168.2.5	164.90.167.99
Jan 14, 2025 23:34:53.503038883 CET	445	53231	164.90.167.99	192.168.2.5
Jan 14, 2025 23:34:53.503184080 CET	53231	445	192.168.2.5	164.90.167.99
Jan 14, 2025 23:34:53.503211975 CET	53231	445	192.168.2.5	164.90.167.99
Jan 14, 2025 23:34:53.503371000 CET	53232	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.508255005 CET	445	53232	164.90.167.1	192.168.2.5
Jan 14, 2025 23:34:53.508352995 CET	445	53231	164.90.167.99	192.168.2.5
Jan 14, 2025 23:34:53.508369923 CET	53232	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.508369923 CET	53232	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.508583069 CET	53233	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.508600950 CET	53231	445	192.168.2.5	164.90.167.99
Jan 14, 2025 23:34:53.513479948 CET	445	53232	164.90.167.1	192.168.2.5
Jan 14, 2025 23:34:53.513509989 CET	445	53233	164.90.167.1	192.168.2.5
Jan 14, 2025 23:34:53.513534069 CET	53232	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.513569117 CET	53233	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.513592005 CET	53233	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:34:53.518518925 CET	445	53233	164.90.167.1	192.168.2.5
Jan 14, 2025 23:34:54.247603893 CET	53238	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:54.252540112 CET	445	53238	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:54.253911018 CET	53238	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:54.254018068 CET	53238	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:34:54.258831024 CET	445	53238	202.122.32.1	192.168.2.5
Jan 14, 2025 23:34:54.732665062 CET	53242	445	192.168.2.5	61.204.190.117
Jan 14, 2025 23:34:54.737654924 CET	445	53242	61.204.190.117	192.168.2.5
Jan 14, 2025 23:34:54.737806082 CET	53242	445	192.168.2.5	61.204.190.117
Jan 14, 2025 23:34:54.737930059 CET	53242	445	192.168.2.5	61.204.190.117
Jan 14, 2025 23:34:54.738312006 CET	53243	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:54.742877960 CET	445	53242	61.204.190.117	192.168.2.5
Jan 14, 2025 23:34:54.742964029 CET	53242	445	192.168.2.5	61.204.190.117
Jan 14, 2025 23:34:54.743160009 CET	445	53243	61.204.190.1	192.168.2.5
Jan 14, 2025 23:34:54.743242025 CET	53243	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:54.743257046 CET	53243	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:54.743602991 CET	53244	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:54.748395920 CET	445	53244	61.204.190.1	192.168.2.5
Jan 14, 2025 23:34:54.749078989 CET	53244	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:54.749089956 CET	53244	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:54.749766111 CET	445	53243	61.204.190.1	192.168.2.5
Jan 14, 2025 23:34:54.753916025 CET	445	53244	61.204.190.1	192.168.2.5
Jan 14, 2025 23:34:54.768645048 CET	445	53243	61.204.190.1	192.168.2.5
Jan 14, 2025 23:34:54.768702984 CET	53243	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:34:55.486661911 CET	445	50070	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:55.487381935 CET	50070	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:55.487416029 CET	50070	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:55.487464905 CET	50070	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:55.492324114 CET	445	50070	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:55.492353916 CET	445	50070	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:55.813924074 CET	445	50079	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:55.813993931 CET	50079	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:55.814069986 CET	50079	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:55.814166069 CET	50079	445	192.168.2.5	22.33.251.1
Jan 14, 2025 23:34:55.818872929 CET	445	50079	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:55.818972111 CET	445	50079	22.33.251.1	192.168.2.5
Jan 14, 2025 23:34:55.872893095 CET	53253	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.877774000 CET	445	53253	22.33.251.2	192.168.2.5
Jan 14, 2025 23:34:55.877851009 CET	53253	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.877942085 CET	53253	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.878307104 CET	53254	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.882847071 CET	445	53253	22.33.251.2	192.168.2.5
Jan 14, 2025 23:34:55.882910967 CET	53253	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.883106947 CET	445	53254	22.33.251.2	192.168.2.5
Jan 14, 2025 23:34:55.883186102 CET	53254	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.883228064 CET	53254	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:34:55.888003111 CET	445	53254	22.33.251.2	192.168.2.5
Jan 14, 2025 23:34:55.888425112 CET	53255	445	192.168.2.5	80.104.46.124
Jan 14, 2025 23:34:55.893338919 CET	445	53255	80.104.46.124	192.168.2.5
Jan 14, 2025 23:34:55.893407106 CET	53255	445	192.168.2.5	80.104.46.124
Jan 14, 2025 23:34:55.893465996 CET	53255	445	192.168.2.5	80.104.46.124
Jan 14, 2025 23:34:55.893724918 CET	53256	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.898497105 CET	445	53255	80.104.46.124	192.168.2.5
Jan 14, 2025 23:34:55.898550987 CET	53255	445	192.168.2.5	80.104.46.124
Jan 14, 2025 23:34:55.898617983 CET	445	53256	80.104.46.1	192.168.2.5
Jan 14, 2025 23:34:55.898690939 CET	53256	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.898744106 CET	53256	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.899081945 CET	53257	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.903662920 CET	445	53256	80.104.46.1	192.168.2.5
Jan 14, 2025 23:34:55.903728962 CET	53256	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.904033899 CET	445	53257	80.104.46.1	192.168.2.5
Jan 14, 2025 23:34:55.904149055 CET	53257	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.904194117 CET	53257	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:34:55.909033060 CET	445	53257	80.104.46.1	192.168.2.5
Jan 14, 2025 23:34:56.278913021 CET	53258	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:56.283835888 CET	445	53258	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:56.283920050 CET	53258	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:56.283936024 CET	53258	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:34:56.288813114 CET	445	53258	60.43.125.1	192.168.2.5
Jan 14, 2025 23:34:56.966833115 CET	53264	445	192.168.2.5	119.11.25.6
Jan 14, 2025 23:34:56.971677065 CET	445	53264	119.11.25.6	192.168.2.5
Jan 14, 2025 23:34:56.971770048 CET	53264	445	192.168.2.5	119.11.25.6
Jan 14, 2025 23:34:56.971810102 CET	53264	445	192.168.2.5	119.11.25.6
Jan 14, 2025 23:34:56.971941948 CET	53265	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.976794958 CET	445	53265	119.11.25.1	192.168.2.5
Jan 14, 2025 23:34:56.976809025 CET	445	53264	119.11.25.6	192.168.2.5
Jan 14, 2025 23:34:56.976878881 CET	53264	445	192.168.2.5	119.11.25.6
Jan 14, 2025 23:34:56.976900101 CET	53265	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.976901054 CET	53265	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.977199078 CET	53266	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.981822014 CET	445	53265	119.11.25.1	192.168.2.5
Jan 14, 2025 23:34:56.982088089 CET	445	53266	119.11.25.1	192.168.2.5
Jan 14, 2025 23:34:56.982151985 CET	53265	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.982180119 CET	53266	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.982223034 CET	53266	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:34:56.986994982 CET	445	53266	119.11.25.1	192.168.2.5
Jan 14, 2025 23:34:57.591250896 CET	445	50085	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:57.591267109 CET	445	50088	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:57.591348886 CET	50085	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:57.591434956 CET	50085	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:57.591444016 CET	50088	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:57.591491938 CET	50085	445	192.168.2.5	69.124.198.1
Jan 14, 2025 23:34:57.592227936 CET	50088	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:57.592228889 CET	50088	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:34:57.596344948 CET	445	50085	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:57.596385956 CET	445	50085	69.124.198.1	192.168.2.5
Jan 14, 2025 23:34:57.597075939 CET	445	50088	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:57.597089052 CET	445	50088	164.159.211.1	192.168.2.5
Jan 14, 2025 23:34:57.654100895 CET	53272	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.658924103 CET	445	53272	69.124.198.2	192.168.2.5
Jan 14, 2025 23:34:57.659101009 CET	53272	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.659131050 CET	53272	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.659425974 CET	53273	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.664102077 CET	445	53272	69.124.198.2	192.168.2.5
Jan 14, 2025 23:34:57.664159060 CET	53272	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.664251089 CET	445	53273	69.124.198.2	192.168.2.5
Jan 14, 2025 23:34:57.664308071 CET	53273	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.664333105 CET	53273	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:34:57.669861078 CET	445	53273	69.124.198.2	192.168.2.5
Jan 14, 2025 23:34:57.982377052 CET	53276	445	192.168.2.5	160.234.246.195
Jan 14, 2025 23:34:58.094400883 CET	445	53276	160.234.246.195	192.168.2.5
Jan 14, 2025 23:34:58.094475031 CET	53276	445	192.168.2.5	160.234.246.195
Jan 14, 2025 23:34:58.094552994 CET	53276	445	192.168.2.5	160.234.246.195
Jan 14, 2025 23:34:58.094690084 CET	53277	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.099678993 CET	445	53277	160.234.246.1	192.168.2.5
Jan 14, 2025 23:34:58.099740028 CET	53277	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.099785089 CET	53277	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.099791050 CET	445	53276	160.234.246.195	192.168.2.5
Jan 14, 2025 23:34:58.099842072 CET	53276	445	192.168.2.5	160.234.246.195
Jan 14, 2025 23:34:58.100042105 CET	53281	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.104834080 CET	445	53277	160.234.246.1	192.168.2.5
Jan 14, 2025 23:34:58.104846954 CET	445	53281	160.234.246.1	192.168.2.5
Jan 14, 2025 23:34:58.104897022 CET	53277	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.104904890 CET	53281	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.104927063 CET	53281	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:34:58.109836102 CET	445	53281	160.234.246.1	192.168.2.5
Jan 14, 2025 23:34:58.497822046 CET	53282	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:58.503098965 CET	445	53282	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:58.503184080 CET	53282	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:58.503200054 CET	53282	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:34:58.507965088 CET	445	53282	198.241.75.1	192.168.2.5
Jan 14, 2025 23:34:58.920039892 CET	53288	445	192.168.2.5	124.94.33.112
Jan 14, 2025 23:34:58.925378084 CET	445	53288	124.94.33.112	192.168.2.5
Jan 14, 2025 23:34:58.925473928 CET	53288	445	192.168.2.5	124.94.33.112
Jan 14, 2025 23:34:58.925602913 CET	53288	445	192.168.2.5	124.94.33.112
Jan 14, 2025 23:34:58.925602913 CET	53289	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.930397034 CET	445	53289	124.94.33.1	192.168.2.5
Jan 14, 2025 23:34:58.930444002 CET	445	53288	124.94.33.112	192.168.2.5
Jan 14, 2025 23:34:58.930494070 CET	53289	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.930526018 CET	53289	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.930529118 CET	53288	445	192.168.2.5	124.94.33.112
Jan 14, 2025 23:34:58.930819035 CET	53290	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.935446024 CET	445	53289	124.94.33.1	192.168.2.5
Jan 14, 2025 23:34:58.935523033 CET	53289	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.935625076 CET	445	53290	124.94.33.1	192.168.2.5
Jan 14, 2025 23:34:58.935676098 CET	53290	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.935707092 CET	53290	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:34:58.940507889 CET	445	53290	124.94.33.1	192.168.2.5
Jan 14, 2025 23:34:59.296061039 CET	445	53102	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:59.296143055 CET	53102	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:59.296189070 CET	53102	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:59.296260118 CET	53102	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:34:59.300951004 CET	445	53102	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:59.300997972 CET	445	53102	83.169.224.1	192.168.2.5
Jan 14, 2025 23:34:59.799040079 CET	53296	445	192.168.2.5	190.175.99.91
Jan 14, 2025 23:34:59.803953886 CET	445	53296	190.175.99.91	192.168.2.5
Jan 14, 2025 23:34:59.804018974 CET	53296	445	192.168.2.5	190.175.99.91
Jan 14, 2025 23:34:59.804095984 CET	53296	445	192.168.2.5	190.175.99.91
Jan 14, 2025 23:34:59.804313898 CET	53297	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.809150934 CET	445	53297	190.175.99.1	192.168.2.5
Jan 14, 2025 23:34:59.809166908 CET	445	53296	190.175.99.91	192.168.2.5
Jan 14, 2025 23:34:59.809211969 CET	53297	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.809233904 CET	53296	445	192.168.2.5	190.175.99.91
Jan 14, 2025 23:34:59.809251070 CET	53297	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.809614897 CET	53298	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.814115047 CET	445	53297	190.175.99.1	192.168.2.5
Jan 14, 2025 23:34:59.814161062 CET	53297	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.814405918 CET	445	53298	190.175.99.1	192.168.2.5
Jan 14, 2025 23:34:59.814471960 CET	53298	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.814506054 CET	53298	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:34:59.819288015 CET	445	53298	190.175.99.1	192.168.2.5
Jan 14, 2025 23:35:00.577465057 CET	445	53112	58.192.79.1	192.168.2.5
Jan 14, 2025 23:35:00.577579975 CET	53112	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:35:00.577644110 CET	53112	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:35:00.577738047 CET	53112	445	192.168.2.5	58.192.79.1
Jan 14, 2025 23:35:00.584361076 CET	445	53112	58.192.79.1	192.168.2.5
Jan 14, 2025 23:35:00.584525108 CET	445	53112	58.192.79.1	192.168.2.5
Jan 14, 2025 23:35:00.607232094 CET	53304	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:35:00.614126921 CET	445	53304	164.159.211.1	192.168.2.5
Jan 14, 2025 23:35:00.614316940 CET	53304	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:35:00.614316940 CET	53304	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:35:00.620997906 CET	445	53304	164.159.211.1	192.168.2.5
Jan 14, 2025 23:35:00.623153925 CET	53305	445	192.168.2.5	108.170.252.106
Jan 14, 2025 23:35:00.628151894 CET	445	53305	108.170.252.106	192.168.2.5
Jan 14, 2025 23:35:00.628248930 CET	53305	445	192.168.2.5	108.170.252.106
Jan 14, 2025 23:35:00.628338099 CET	53305	445	192.168.2.5	108.170.252.106
Jan 14, 2025 23:35:00.628591061 CET	53306	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.635152102 CET	445	53305	108.170.252.106	192.168.2.5
Jan 14, 2025 23:35:00.635232925 CET	53305	445	192.168.2.5	108.170.252.106
Jan 14, 2025 23:35:00.635454893 CET	445	53306	108.170.252.1	192.168.2.5
Jan 14, 2025 23:35:00.635529041 CET	53306	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.635623932 CET	53306	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.636033058 CET	53307	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.638556004 CET	53308	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.642376900 CET	445	53306	108.170.252.1	192.168.2.5
Jan 14, 2025 23:35:00.642456055 CET	53306	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.642658949 CET	445	53307	108.170.252.1	192.168.2.5
Jan 14, 2025 23:35:00.642719030 CET	53307	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.642751932 CET	53307	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:00.645267963 CET	445	53308	58.192.79.2	192.168.2.5
Jan 14, 2025 23:35:00.645333052 CET	53308	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.645404100 CET	53308	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.645663023 CET	53309	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.649458885 CET	445	53307	108.170.252.1	192.168.2.5
Jan 14, 2025 23:35:00.652343988 CET	445	53308	58.192.79.2	192.168.2.5
Jan 14, 2025 23:35:00.652431011 CET	53308	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.652487993 CET	445	53309	58.192.79.2	192.168.2.5
Jan 14, 2025 23:35:00.652546883 CET	53309	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.652584076 CET	53309	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:00.659436941 CET	445	53309	58.192.79.2	192.168.2.5
Jan 14, 2025 23:35:01.376310110 CET	445	53120	197.111.193.1	192.168.2.5
Jan 14, 2025 23:35:01.376386881 CET	53120	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:01.376480103 CET	53120	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:01.376532078 CET	53120	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:01.381289005 CET	445	53120	197.111.193.1	192.168.2.5
Jan 14, 2025 23:35:01.381303072 CET	445	53120	197.111.193.1	192.168.2.5
Jan 14, 2025 23:35:01.388547897 CET	53315	445	192.168.2.5	123.102.22.183
Jan 14, 2025 23:35:01.393506050 CET	445	53315	123.102.22.183	192.168.2.5
Jan 14, 2025 23:35:01.393573999 CET	53315	445	192.168.2.5	123.102.22.183
Jan 14, 2025 23:35:01.393616915 CET	53315	445	192.168.2.5	123.102.22.183
Jan 14, 2025 23:35:01.393800020 CET	53316	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.398662090 CET	445	53315	123.102.22.183	192.168.2.5
Jan 14, 2025 23:35:01.398677111 CET	445	53316	123.102.22.1	192.168.2.5
Jan 14, 2025 23:35:01.398718119 CET	53315	445	192.168.2.5	123.102.22.183
Jan 14, 2025 23:35:01.398827076 CET	53316	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.398827076 CET	53316	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.399010897 CET	53317	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.403803110 CET	445	53317	123.102.22.1	192.168.2.5
Jan 14, 2025 23:35:01.403856039 CET	445	53316	123.102.22.1	192.168.2.5
Jan 14, 2025 23:35:01.403908014 CET	53317	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.403908014 CET	53317	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.403958082 CET	53316	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:01.408723116 CET	445	53317	123.102.22.1	192.168.2.5
Jan 14, 2025 23:35:01.532902002 CET	445	53121	163.33.155.1	192.168.2.5
Jan 14, 2025 23:35:01.532991886 CET	53121	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:35:01.533041000 CET	53121	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:35:01.533092022 CET	53121	445	192.168.2.5	163.33.155.1
Jan 14, 2025 23:35:01.537945986 CET	445	53121	163.33.155.1	192.168.2.5
Jan 14, 2025 23:35:01.537959099 CET	445	53121	163.33.155.1	192.168.2.5
Jan 14, 2025 23:35:01.591810942 CET	53318	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.596719980 CET	445	53318	163.33.155.2	192.168.2.5
Jan 14, 2025 23:35:01.596841097 CET	53318	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.596901894 CET	53318	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.597292900 CET	53319	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.601794958 CET	445	53318	163.33.155.2	192.168.2.5
Jan 14, 2025 23:35:01.601855040 CET	53318	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.602072954 CET	445	53319	163.33.155.2	192.168.2.5
Jan 14, 2025 23:35:01.602133989 CET	53319	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.602169037 CET	53319	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:01.606930017 CET	445	53319	163.33.155.2	192.168.2.5
Jan 14, 2025 23:35:02.314342022 CET	53326	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:35:02.320600986 CET	445	53326	83.169.224.1	192.168.2.5
Jan 14, 2025 23:35:02.320687056 CET	53326	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:35:02.320718050 CET	53326	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:35:02.330039978 CET	445	53326	83.169.224.1	192.168.2.5
Jan 14, 2025 23:35:03.311871052 CET	445	53138	153.5.218.1	192.168.2.5
Jan 14, 2025 23:35:03.314467907 CET	53138	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:03.314575911 CET	53138	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:03.314634085 CET	53138	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:03.319355011 CET	445	53138	153.5.218.1	192.168.2.5
Jan 14, 2025 23:35:03.319422007 CET	445	53138	153.5.218.1	192.168.2.5
Jan 14, 2025 23:35:03.517193079 CET	445	53141	115.64.228.1	192.168.2.5
Jan 14, 2025 23:35:03.517625093 CET	53141	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:35:03.517626047 CET	53141	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:35:03.517726898 CET	53141	445	192.168.2.5	115.64.228.1
Jan 14, 2025 23:35:03.522479057 CET	445	53141	115.64.228.1	192.168.2.5
Jan 14, 2025 23:35:03.522593021 CET	445	53141	115.64.228.1	192.168.2.5
Jan 14, 2025 23:35:03.576097965 CET	53340	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.581574917 CET	445	53340	115.64.228.2	192.168.2.5
Jan 14, 2025 23:35:03.581794024 CET	53340	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.581794024 CET	53340	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.582087040 CET	53341	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.587157965 CET	445	53340	115.64.228.2	192.168.2.5
Jan 14, 2025 23:35:03.587223053 CET	445	53341	115.64.228.2	192.168.2.5
Jan 14, 2025 23:35:03.587234020 CET	53340	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.587286949 CET	53341	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.587306976 CET	53341	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:03.592103004 CET	445	53341	115.64.228.2	192.168.2.5
Jan 14, 2025 23:35:04.388372898 CET	53350	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:04.421235085 CET	445	53350	197.111.193.1	192.168.2.5
Jan 14, 2025 23:35:04.422454119 CET	53350	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:04.422540903 CET	53350	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:04.427304029 CET	445	53350	197.111.193.1	192.168.2.5
Jan 14, 2025 23:35:05.593591928 CET	445	53152	74.178.121.1	192.168.2.5
Jan 14, 2025 23:35:05.593686104 CET	53152	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:35:05.593782902 CET	53152	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:35:05.593816996 CET	53152	445	192.168.2.5	74.178.121.1
Jan 14, 2025 23:35:05.598571062 CET	445	53152	74.178.121.1	192.168.2.5
Jan 14, 2025 23:35:05.598583937 CET	445	53152	74.178.121.1	192.168.2.5
Jan 14, 2025 23:35:05.654370070 CET	53368	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.659172058 CET	445	53368	74.178.121.2	192.168.2.5
Jan 14, 2025 23:35:05.659250021 CET	53368	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.659282923 CET	53368	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.659569979 CET	53370	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.664165020 CET	445	53368	74.178.121.2	192.168.2.5
Jan 14, 2025 23:35:05.664227962 CET	53368	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.664331913 CET	445	53370	74.178.121.2	192.168.2.5
Jan 14, 2025 23:35:05.664403915 CET	53370	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.664453030 CET	53370	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:05.669220924 CET	445	53370	74.178.121.2	192.168.2.5
Jan 14, 2025 23:35:06.326045990 CET	53376	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:06.330985069 CET	445	53376	153.5.218.1	192.168.2.5
Jan 14, 2025 23:35:06.331077099 CET	53376	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:06.331115961 CET	53376	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:06.335856915 CET	445	53376	153.5.218.1	192.168.2.5
Jan 14, 2025 23:35:06.466217041 CET	445	53159	194.204.94.1	192.168.2.5
Jan 14, 2025 23:35:06.466281891 CET	53159	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:06.466335058 CET	53159	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:06.466335058 CET	53159	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:06.471220970 CET	445	53159	194.204.94.1	192.168.2.5
Jan 14, 2025 23:35:06.471230984 CET	445	53159	194.204.94.1	192.168.2.5
Jan 14, 2025 23:35:07.200680017 CET	445	53164	69.170.172.1	192.168.2.5
Jan 14, 2025 23:35:07.200751066 CET	53164	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:07.219377041 CET	53164	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:07.219619036 CET	53164	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:07.224240065 CET	445	53164	69.170.172.1	192.168.2.5
Jan 14, 2025 23:35:07.224427938 CET	445	53164	69.170.172.1	192.168.2.5
Jan 14, 2025 23:35:07.544593096 CET	445	53167	167.175.169.1	192.168.2.5
Jan 14, 2025 23:35:07.544666052 CET	53167	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:35:07.544704914 CET	53167	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:35:07.544739962 CET	53167	445	192.168.2.5	167.175.169.1
Jan 14, 2025 23:35:07.549510956 CET	445	53167	167.175.169.1	192.168.2.5
Jan 14, 2025 23:35:07.549520969 CET	445	53167	167.175.169.1	192.168.2.5
Jan 14, 2025 23:35:07.624152899 CET	53400	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.629043102 CET	445	53400	167.175.169.2	192.168.2.5
Jan 14, 2025 23:35:07.629117966 CET	53400	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.629158020 CET	53400	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.630959034 CET	53401	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.634016991 CET	445	53400	167.175.169.2	192.168.2.5
Jan 14, 2025 23:35:07.634072065 CET	53400	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.635718107 CET	445	53401	167.175.169.2	192.168.2.5
Jan 14, 2025 23:35:07.635778904 CET	53401	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.635816097 CET	53401	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:07.640563965 CET	445	53401	167.175.169.2	192.168.2.5
Jan 14, 2025 23:35:08.935844898 CET	445	53180	215.212.124.1	192.168.2.5
Jan 14, 2025 23:35:08.939412117 CET	53180	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:35:08.945420980 CET	53180	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:35:08.945447922 CET	53180	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:35:08.950278044 CET	445	53180	215.212.124.1	192.168.2.5
Jan 14, 2025 23:35:08.950293064 CET	445	53180	215.212.124.1	192.168.2.5
Jan 14, 2025 23:35:09.483071089 CET	53431	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:09.488501072 CET	445	53431	194.204.94.1	192.168.2.5
Jan 14, 2025 23:35:09.488579988 CET	53431	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:09.488616943 CET	53431	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:09.495373964 CET	445	53431	194.204.94.1	192.168.2.5
Jan 14, 2025 23:35:09.597141027 CET	445	53185	133.205.133.1	192.168.2.5
Jan 14, 2025 23:35:09.597238064 CET	53185	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:35:09.597347021 CET	53185	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:35:09.597347021 CET	53185	445	192.168.2.5	133.205.133.1
Jan 14, 2025 23:35:09.602196932 CET	445	53185	133.205.133.1	192.168.2.5
Jan 14, 2025 23:35:09.602205992 CET	445	53185	133.205.133.1	192.168.2.5
Jan 14, 2025 23:35:09.656502008 CET	53436	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.661384106 CET	445	53436	133.205.133.2	192.168.2.5
Jan 14, 2025 23:35:09.661485910 CET	53436	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.661736012 CET	53436	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.662251949 CET	53437	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.666548014 CET	445	53436	133.205.133.2	192.168.2.5
Jan 14, 2025 23:35:09.666649103 CET	53436	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.667037964 CET	445	53437	133.205.133.2	192.168.2.5
Jan 14, 2025 23:35:09.667102098 CET	53437	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.667139053 CET	53437	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:09.671921968 CET	445	53437	133.205.133.2	192.168.2.5
Jan 14, 2025 23:35:10.232023954 CET	53451	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:10.237257004 CET	445	53451	69.170.172.1	192.168.2.5
Jan 14, 2025 23:35:10.237340927 CET	53451	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:10.237361908 CET	53451	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:10.242244959 CET	445	53451	69.170.172.1	192.168.2.5
Jan 14, 2025 23:35:10.591617107 CET	445	53194	149.224.92.1	192.168.2.5
Jan 14, 2025 23:35:10.591727018 CET	53194	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:35:10.591813087 CET	53194	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:35:10.591813087 CET	53194	445	192.168.2.5	149.224.92.1
Jan 14, 2025 23:35:10.596833944 CET	445	53194	149.224.92.1	192.168.2.5
Jan 14, 2025 23:35:10.596935987 CET	445	53194	149.224.92.1	192.168.2.5
Jan 14, 2025 23:35:11.686219931 CET	445	53202	148.13.134.1	192.168.2.5
Jan 14, 2025 23:35:11.687074900 CET	53202	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:35:11.687119961 CET	53202	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:35:11.687119961 CET	53202	445	192.168.2.5	148.13.134.1
Jan 14, 2025 23:35:11.691899061 CET	445	53202	148.13.134.1	192.168.2.5
Jan 14, 2025 23:35:11.691921949 CET	445	53202	148.13.134.1	192.168.2.5
Jan 14, 2025 23:35:11.747747898 CET	53497	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.752645969 CET	445	53497	148.13.134.2	192.168.2.5
Jan 14, 2025 23:35:11.753019094 CET	53497	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.753086090 CET	53497	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.753422022 CET	53499	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.758208036 CET	445	53499	148.13.134.2	192.168.2.5
Jan 14, 2025 23:35:11.759030104 CET	53499	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.759067059 CET	53499	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.763864994 CET	445	53499	148.13.134.2	192.168.2.5
Jan 14, 2025 23:35:11.765342951 CET	445	53497	148.13.134.2	192.168.2.5
Jan 14, 2025 23:35:11.768013000 CET	53497	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:11.950843096 CET	53509	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:35:11.955709934 CET	445	53509	215.212.124.1	192.168.2.5
Jan 14, 2025 23:35:11.955777884 CET	53509	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:35:11.955790997 CET	53509	445	192.168.2.5	215.212.124.1
Jan 14, 2025 23:35:11.960555077 CET	445	53509	215.212.124.1	192.168.2.5
Jan 14, 2025 23:35:12.175189972 CET	445	53208	140.174.26.1	192.168.2.5
Jan 14, 2025 23:35:12.175338030 CET	53208	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:35:12.175374985 CET	53208	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:35:12.175388098 CET	53208	445	192.168.2.5	140.174.26.1
Jan 14, 2025 23:35:12.181029081 CET	445	53208	140.174.26.1	192.168.2.5
Jan 14, 2025 23:35:12.181041956 CET	445	53208	140.174.26.1	192.168.2.5
Jan 14, 2025 23:35:13.564122915 CET	445	53220	145.214.61.1	192.168.2.5
Jan 14, 2025 23:35:13.564330101 CET	53220	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:35:13.612812996 CET	445	53222	161.190.209.1	192.168.2.5
Jan 14, 2025 23:35:13.612879038 CET	53222	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:35:13.821933985 CET	53254	445	192.168.2.5	22.33.251.2
Jan 14, 2025 23:35:13.822025061 CET	53401	445	192.168.2.5	167.175.169.2
Jan 14, 2025 23:35:13.822072983 CET	53319	445	192.168.2.5	163.33.155.2
Jan 14, 2025 23:35:13.822084904 CET	53222	445	192.168.2.5	161.190.209.1
Jan 14, 2025 23:35:13.822150946 CET	53341	445	192.168.2.5	115.64.228.2
Jan 14, 2025 23:35:13.822225094 CET	53304	445	192.168.2.5	164.159.211.1
Jan 14, 2025 23:35:13.822253942 CET	53233	445	192.168.2.5	164.90.167.1
Jan 14, 2025 23:35:13.822273016 CET	53220	445	192.168.2.5	145.214.61.1
Jan 14, 2025 23:35:13.822273016 CET	53238	445	192.168.2.5	202.122.32.1
Jan 14, 2025 23:35:13.822298050 CET	53244	445	192.168.2.5	61.204.190.1
Jan 14, 2025 23:35:13.822345018 CET	53258	445	192.168.2.5	60.43.125.1
Jan 14, 2025 23:35:13.822396994 CET	53273	445	192.168.2.5	69.124.198.2
Jan 14, 2025 23:35:13.822446108 CET	53282	445	192.168.2.5	198.241.75.1
Jan 14, 2025 23:35:13.822453022 CET	53257	445	192.168.2.5	80.104.46.1
Jan 14, 2025 23:35:13.822453022 CET	53266	445	192.168.2.5	119.11.25.1
Jan 14, 2025 23:35:13.822463036 CET	53290	445	192.168.2.5	124.94.33.1
Jan 14, 2025 23:35:13.822467089 CET	53281	445	192.168.2.5	160.234.246.1
Jan 14, 2025 23:35:13.822525978 CET	53298	445	192.168.2.5	190.175.99.1
Jan 14, 2025 23:35:13.822525978 CET	53309	445	192.168.2.5	58.192.79.2
Jan 14, 2025 23:35:13.822540045 CET	53317	445	192.168.2.5	123.102.22.1
Jan 14, 2025 23:35:13.822582006 CET	53326	445	192.168.2.5	83.169.224.1
Jan 14, 2025 23:35:13.822594881 CET	53350	445	192.168.2.5	197.111.193.1
Jan 14, 2025 23:35:13.822607994 CET	53307	445	192.168.2.5	108.170.252.1
Jan 14, 2025 23:35:13.822644949 CET	53370	445	192.168.2.5	74.178.121.2
Jan 14, 2025 23:35:13.822669029 CET	53376	445	192.168.2.5	153.5.218.1
Jan 14, 2025 23:35:13.822730064 CET	53437	445	192.168.2.5	133.205.133.2
Jan 14, 2025 23:35:13.822746992 CET	53451	445	192.168.2.5	69.170.172.1
Jan 14, 2025 23:35:13.822809935 CET	53431	445	192.168.2.5	194.204.94.1
Jan 14, 2025 23:35:13.822844028 CET	53499	445	192.168.2.5	148.13.134.2
Jan 14, 2025 23:35:13.822957039 CET	53509	445	192.168.2.5	215.212.124.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:34:06.539483070 CET	54804	53	192.168.2.5	1.1.1.1
Jan 14, 2025 23:34:06.846317053 CET	53	54804	1.1.1.1	192.168.2.5
Jan 14, 2025 23:34:07.501362085 CET	52388	53	192.168.2.5	1.1.1.1
Jan 14, 2025 23:34:07.833739996 CET	53	52388	1.1.1.1	192.168.2.5
Jan 14, 2025 23:34:36.614125967 CET	53	55164	162.159.36.2	192.168.2.5
Jan 14, 2025 23:34:37.081850052 CET	61391	53	192.168.2.5	1.1.1.1
Jan 14, 2025 23:34:37.202076912 CET	53	61391	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 23:34:06.539483070 CET	192.168.2.5	1.1.1.1	0xee	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:34:07.501362085 CET	192.168.2.5	1.1.1.1	0x181f	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:34:37.081850052 CET	192.168.2.5	1.1.1.1	0xe0d7	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 23:34:06.846317053 CET	1.1.1.1	192.168.2.5	0xee	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:34:07.833739996 CET	1.1.1.1	192.168.2.5	0x181f	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 23:34:07.833739996 CET	1.1.1.1	192.168.2.5	0x181f	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:34:37.202076912 CET	1.1.1.1	192.168.2.5	0xe0d7	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	103.224.212.215	80	6052	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:34:06.858745098 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:34:07.495368004 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:34:07 GMT server: Apache set-cookie: __tad=1736894047.2350906; expires=Fri, 12-Jan-2035 22:34:07 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0711-a4e9-cbca1637d94b content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	199.59.243.228	80	6052	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:34:07.840545893 CET	169	OUT	GET /?subid1=20250115-0934-0711-a4e9-cbca1637d94b HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:34:08.296755075 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:34:07 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 85d71e1c-462c-4976-95fa-24291f75e090 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pMouMns6oqPMJVjW3PwXoyZprm0URO6gn4WRJa2vqCyakiNCo4NCABEiVevkRWFuuJ2gfDKCnbWDEX4tHH7dMQ== set-cookie: parking_session=85d71e1c-462c-4976-95fa-24291f75e090; expires=Tue, 14 Jan 2025 22:49:08 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 4d 6f 75 4d 6e 73 36 6f 71 50 4d 4a 56 6a 57 33 50 77 58 6f 79 5a 70 72 6d 30 55 52 4f 36 67 6e 34 57 52 4a 61 32 76 71 43 79 61 6b 69 4e 43 6f 34 4e 43 41 42 45 69 56 65 76 6b 52 57 46 75 75 4a 32 67 66 44 4b 43 6e 62 57 44 45 58 34 74 48 48 37 64 4d 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pMouMns6oqPMJVjW3PwXoyZprm0URO6gn4WRJa2vqCyakiNCo4NCABEiVevkRWFuuJ2gfDKCnbWDEX4tHH7dMQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:34:08.296819925 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODVkNzFlMWMtNDYyYy00OTc2LTk1ZmEtMjQyOTFmNzVlMDkwIiwicGFnZV90aW1lIjoxNzM2ODk0MDQ4LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	103.224.212.215	80	3480	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:34:08.464134932 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:34:09.108202934 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:34:09 GMT server: Apache set-cookie: __tad=1736894049.2675295; expires=Fri, 12-Jan-2035 22:34:09 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-0970-8cc9-73b029fd529f content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	199.59.243.228	80	3480	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:34:09.117826939 CET	169	OUT	GET /?subid1=20250115-0934-0970-8cc9-73b029fd529f HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:34:09.661906004 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:34:09 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: bc40c622-5cf6-4d4b-bf2d-91dd6236e110 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dgmGXuX/BuiePdUBvAyYqZEdyxFfX6bU8PSZcgASAAzAguGdXTkwOAb8xSlmK0fFT2rKb+1KsooNoLML0yURzw== set-cookie: parking_session=bc40c622-5cf6-4d4b-bf2d-91dd6236e110; expires=Tue, 14 Jan 2025 22:49:09 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 67 6d 47 58 75 58 2f 42 75 69 65 50 64 55 42 76 41 79 59 71 5a 45 64 79 78 46 66 58 36 62 55 38 50 53 5a 63 67 41 53 41 41 7a 41 67 75 47 64 58 54 6b 77 4f 41 62 38 78 53 6c 6d 4b 30 66 46 54 32 72 4b 62 2b 31 4b 73 6f 6f 4e 6f 4c 4d 4c 30 79 55 52 7a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dgmGXuX/BuiePdUBvAyYqZEdyxFfX6bU8PSZcgASAAzAguGdXTkwOAb8xSlmK0fFT2rKb+1KsooNoLML0yURzw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:34:09.661964893 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmM0MGM2MjItNWNmNi00ZDRiLWJmMmQtOTFkZDYyMzZlMTEwIiwicGFnZV90aW1lIjoxNzM2ODk0MDQ5LCJwYWdlX3VybCI6I
Jan 14, 2025 23:34:09.662003994 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmM0MGM2MjItNWNmNi00ZDRiLWJmMmQtOTFkZDYyMzZlMTEwIiwicGFnZV90aW1lIjoxNzM2ODk0MDQ5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	103.224.212.215	80	3252	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:34:09.401051044 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736894047.2350906
Jan 14, 2025 23:34:10.014123917 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:34:09 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0934-09e1-a4d8-9386228033a7 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49717	199.59.243.228	80	3252	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:34:10.022483110 CET	231	OUT	GET /?subid1=20250115-0934-09e1-a4d8-9386228033a7 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=85d71e1c-462c-4976-95fa-24291f75e090
Jan 14, 2025 23:34:10.486355066 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:34:10 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 78e2f1aa-0108-48cf-b4d0-793584d700d0 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_RSJTUAtLeYO0dhcPOsA9mCHDwHJ4ntLB+vML21/3Au7A5YqxlSP1g1pXVsLL9MABZFFRz0wkxTc/0V6JtkRSrQ== set-cookie: parking_session=85d71e1c-462c-4976-95fa-24291f75e090; expires=Tue, 14 Jan 2025 22:49:10 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 52 53 4a 54 55 41 74 4c 65 59 4f 30 64 68 63 50 4f 73 41 39 6d 43 48 44 77 48 4a 34 6e 74 4c 42 2b 76 4d 4c 32 31 2f 33 41 75 37 41 35 59 71 78 6c 53 50 31 67 31 70 58 56 73 4c 4c 39 4d 41 42 5a 46 46 52 7a 30 77 6b 78 54 63 2f 30 56 36 4a 74 6b 52 53 72 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_RSJTUAtLeYO0dhcPOsA9mCHDwHJ4ntLB+vML21/3Au7A5YqxlSP1g1pXVsLL9MABZFFRz0wkxTc/0V6JtkRSrQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 23:34:10.486418009 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODVkNzFlMWMtNDYyYy00OTc2LTk1ZmEtMjQyOTFmNzVlMDkwIiwicGFnZV90aW1lIjoxNzM2ODk0MDUwLCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	17:34:05
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll"
Imagebase:	0x4e0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:34:05
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:34:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:34:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D3W41IdtQA.dll,PlayGame
Imagebase:	0x370000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:34:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",#1
Imagebase:	0x370000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:34:05
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	8FFE5EAA2C7E7B68B68F70F7B2456C42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2059116845.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2059281038.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:34:07
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	8FFE5EAA2C7E7B68B68F70F7B2456C42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2078455711.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2078571904.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2728292816.000000000227E000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2728081157.0000000001D57000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:34:08
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3W41IdtQA.dll",PlayGame
Imagebase:	0x370000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:34:08
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	8FFE5EAA2C7E7B68B68F70F7B2456C42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2087741306.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.2100631986.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2100501122.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.2087872787.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
D, xrefs: 00407ED3
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
CreateProcessA, xrefs: 00407D07
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F

Memory Dump Source

Source File: 00000005.00000002.2092644247.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2092625262.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092668020.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092820275.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.2092644247.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2092625262.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092668020.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092820275.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.2092644247.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2092625262.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092668020.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092820275.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000005.00000002.2092644247.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2092625262.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092668020.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092820275.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.2092644247.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2092625262.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092668020.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092688099.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092820275.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2092928985.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 3480, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2727397258.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2727384274.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727411276.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727468720.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727481781.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2727397258.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2727384274.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727411276.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727468720.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727481781.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000007.00000002.2727397258.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2727384274.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727411276.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727468720.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727481781.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000007.00000002.2727397258.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2727384274.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727411276.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727468720.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727481781.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2727397258.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2727384274.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727411276.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727423449.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727456117.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727468720.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727481781.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2727557948.0000000000851000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D3W41IdtQA.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
D3W41IdtQA.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON