Edit tour

Windows Analysis Report
V01vdyUACe.dll

Overview

General Information

Sample name:	V01vdyUACe.dll renamed because original name is a hash value
Original sample name:	99d5af136c5d863d5ba4cd5c964c9122.dll
Analysis ID:	1591531
MD5:	99d5af136c5d863d5ba4cd5c964c9122
SHA1:	021776b034251555f25ace43b1061a444d5ba906
SHA256:	893065e33bb4a2fa7597da335fecd52a0f098383186482478f0300c40e3be739
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7412 cmdline: loaddll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7460 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7488 cmdline: rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7512 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 9679BDFFCFC1DA1D852E8F218B335E78)

rundll32.exe (PID: 7472 cmdline: rundll32.exe C:\Users\user\Desktop\V01vdyUACe.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7640 cmdline: rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7656 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 9679BDFFCFC1DA1D852E8F218B335E78)

mssecsvc.exe (PID: 7584 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 9679BDFFCFC1DA1D852E8F218B335E78)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
V01vdyUACe.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
V01vdyUACe.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
V01vdyUACe.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.1831457534.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1801878238.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1809283291.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1779970986.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 7512	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7584	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7656	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.mssecsvc.exe.1faf084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.24da8c8.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.1fe1128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvc.exe.1fe1128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.250c96c.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.250c96c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvc.exe.250c96c.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.250c96c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvc.exe.250c96c.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.1fe1128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1fe1128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvc.exe.1fe1128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.1fbe104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1fbe104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvc.exe.1fbe104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.1fbe104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.24e9948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.24e9948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvc.exe.24e9948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.24e9948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.24e58e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.24e58e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvc.exe.24e58e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.1faf084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1faf084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x28ede4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x27ebb0:$x3: tasksche.exe 0x28edc0:$x3: tasksche.exe 0x28ed9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x28ee14:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x24926c:$x7: mssecsvc.exe 0x264b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x27eb88:$x8: C:\%s\qeriuwjhrf 0x28ede4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x249254:$s1: C:\%s\%s 0x264b7c:$s1: C:\%s\%s 0x27eb9c:$s1: C:\%s\%s 0x28ed14:$s3: cmd.exe /c "%s" 0x2c1268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x27bed0:$s5: \\192.168.56.20\IPC$
6.2.mssecsvc.exe.1faf084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.1faf084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x28edc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x28ede8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.1fba0a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1fba0a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvc.exe.1fba0a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.24da8c8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.24da8c8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.24da8c8.6.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.1fbe104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1fbe104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
6.2.mssecsvc.exe.1fbe104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.24e9948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.24e9948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
6.2.mssecsvc.exe.24e9948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 88 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T03:04:48.582698+0100	2803304	3	Unknown Traffic	192.168.2.4	49732	103.224.212.215	80	TCP
2025-01-15T03:04:50.516076+0100	2803304	3	Unknown Traffic	192.168.2.4	49734	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T03:04:47.643513+0100	2830018	1	A Network Trojan was detected	192.168.2.4	55668	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: V01vdyUACe.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7f7	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f2	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d9429	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d94	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f250	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 93%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Source: V01vdyUACe.dll	Virustotal: Detection: 92%			Perma Link
Source: V01vdyUACe.dll	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: V01vdyUACe.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: V01vdyUACe.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.4:55668 -> 1.1.1.1:53

Source: unknown

Network traffic detected: IP country count 11

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1304-48cb-ab27-b1d7f25d9429 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736906688.6242741
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1304-5082-90f7-a7068eb2f250 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1304-5151-bf6a-63383d41d7f7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=84ae1b42-84fc-4740-a603-6b20200136a7

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.77
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.77
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.77
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.77
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 183.50.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.171
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.171
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.171
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.171
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.109.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.73
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.73
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.73
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.73
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.87.172.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.108
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.108
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.108
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.108
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 86.128.111.1
Source: unknown	TCP traffic detected without corresponding DNS query: 221.48.37.144
Source: unknown	TCP traffic detected without corresponding DNS query: 221.48.37.144
Source: unknown	TCP traffic detected without corresponding DNS query: 221.48.37.144

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1304-48cb-ab27-b1d7f25d9429 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736906688.6242741
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1304-5082-90f7-a7068eb2f250 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1304-5151-bf6a-63383d41d7f7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=84ae1b42-84fc-4740-a603-6b20200136a7

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvc.exe, 00000008.00000002.1831803586.0000000000BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgoYt
Source: mssecsvc.exe, 00000005.00000002.1825468248.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000005.00000002.1825468248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000005.00000003.1791193960.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d94
Source: mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000003.1824588963.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2462264952.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f2
Source: mssecsvc.exe, 00000008.00000002.1831803586.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000003.1828934040.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7
Source: mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w
Source: V01vdyUACe.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvc.exe, 00000005.00000002.1825468248.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1831803586.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1831803586.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvc.exe, 00000005.00000002.1825468248.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/#
Source: mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/(
Source: mssecsvc.exe, 00000008.00000002.1831803586.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/1U
Source: mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8
Source: mssecsvc.exe, 00000008.00000002.1831803586.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Xt
Source: mssecsvc.exe, 00000005.00000002.1825468248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Y
Source: mssecsvc.exe, 00000006.00000002.2461099749.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvc.exe, 00000008.00000002.1831803586.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comNn

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: V01vdyUACe.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvc.exe.250c96c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1fe1128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.24e58e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1fba0a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.24da8c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1fbe104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.24e9948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1831457534.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1801878238.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1809283291.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1779970986.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7656, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: V01vdyUACe.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: V01vdyUACe.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1faf084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.24da8c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1fe1128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1fe1128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.250c96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.250c96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.250c96c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.250c96c.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1fe1128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1fe1128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.24e58e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.24e58e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1fba0a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1fba0a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.24da8c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.24da8c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1fbe104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1fbe104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.24e9948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.24e9948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: V01vdyUACe.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: V01vdyUACe.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: V01vdyUACe.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1faf084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.24da8c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1fe1128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1fe1128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.250c96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.250c96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.250c96c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.250c96c.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1fe1128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1fe1128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.1fbe104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.24e9948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.24e58e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.24e58e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.1faf084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1fba0a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1fba0a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.24da8c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.24da8c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1fbe104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1fbe104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.24e9948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.24e9948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.5.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: V01vdyUACe.dll, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03

Source: V01vdyUACe.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V01vdyUACe.dll,PlayGame

Source: V01vdyUACe.dll	Virustotal: Detection: 92%
Source: V01vdyUACe.dll	ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V01vdyUACe.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V01vdyUACe.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: V01vdyUACe.dll

Static file information: File size 5267459 > 1048576

Source: V01vdyUACe.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.5.dr

Static PE information: section name: .text entropy: 7.629756223800418

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvc.exe

Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe TID: 7700	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7700	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7704	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7704	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7700	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000006.00000002.2462264952.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: mssecsvc.exe, 00000005.00000002.1825468248.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000003.1824878869.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000003.1824588963.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2462264952.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1831803586.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1831803586.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1831803586.0000000000BD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvc.exe, 00000005.00000002.1825468248.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
V01vdyUACe.dll	93%	Virustotal		Browse
V01vdyUACe.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
V01vdyUACe.dll	100%	Avira	TR/AD.WannaCry.cxhsa
V01vdyUACe.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7f7	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgoYt	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f2	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comNn	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d9429	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d94	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f250	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d9429	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7f7	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f250	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comNn	mssecsvc.exe, 00000008.00000002.1831803586.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/(	mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	V01vdyUACe.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w	mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f2	mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000003.1824588963.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2462264952.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/1U	mssecsvc.exe, 00000008.00000002.1831803586.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7	mssecsvc.exe, 00000008.00000002.1831803586.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000003.1828934040.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/#	mssecsvc.exe, 00000005.00000002.1825468248.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Xt	mssecsvc.exe, 00000008.00000002.1831803586.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgoYt	mssecsvc.exe, 00000008.00000002.1831803586.0000000000BD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d94	mssecsvc.exe, 00000005.00000002.1825468248.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000005.00000002.1825468248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000005.00000003.1791193960.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvc.exe, 00000006.00000002.2461099749.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8	mssecsvc.exe, 00000006.00000002.2462264952.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Y	mssecsvc.exe, 00000005.00000002.1825468248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.133.158.54	unknown	United States	40618	SESAMEUS	false
202.72.145.1	unknown	Australia	9543	WESTNET-AS-APWestnetInternetServicesAU	false
2.126.104.1	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
163.159.85.24	unknown	Slovenia	15435	KABELFOONDELTAFiberNederlandNL	false
202.14.161.67	unknown	India	131458	WILLIAMSLEA-AS-APWILLIAMSLEAINDIAPRIVATELIMITEDIN	false
57.176.241.137	unknown	Belgium	2686	ATGS-MMD-ASUS	false
148.155.59.221	unknown	United States	18715	NYPAUS	false
207.109.181.2	unknown	United States	397973	CDS-GLOBAL-01US	false
207.109.181.1	unknown	United States	397973	CDS-GLOBAL-01US	false
183.50.126.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
183.50.126.2	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
122.116.214.234	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
182.88.71.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
38.133.158.1	unknown	United States	40618	SESAMEUS	false
45.97.165.121	unknown	Egypt	37069	MOBINILEG	false
39.122.246.1	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101
192.168.2.222

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591531
Start date and time:	2025-01-15 03:03:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	V01vdyUACe.dll renamed because original name is a hash value
Original Sample Name:	99d5af136c5d863d5ba4cd5c964c9122.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 184.30.131.245, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:04:49	API Interceptor	1x Sleep call for process: loaddll32.exe modified
21:05:25	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WILLIAMSLEA-AS-APWILLIAMSLEAINDIAPRIVATELIMITEDIN	m68k.elf	Get hash	malicious	Unknown	Browse	103.38.51.254
	skyljnee.arm-20240128-0910.elf	Get hash	malicious	Mirai	Browse	202.14.176.0
	pxObBd1d8a.elf	Get hash	malicious	Mirai	Browse	202.14.176.4
	SecuriteInfo.com.Linux.Siggen.9999.14754.14903	Get hash	malicious	Mirai	Browse	202.14.176.4
	ZG9zarm	Get hash	malicious	Mirai	Browse	202.14.176.1
	x86	Get hash	malicious	Mirai	Browse	103.38.51.242
	GujVgIhAhF	Get hash	malicious	Mirai	Browse	103.38.51.250
	sora.arm	Get hash	malicious	Mirai	Browse	103.38.51.243
KABELFOONDELTAFiberNederlandNL	splarm.elf	Get hash	malicious	Unknown	Browse	163.158.28.14
	star.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	62.45.21.194
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	163.159.107.147
	bin.sh.elf	Get hash	malicious	Mirai	Browse	159.180.12.14
	arm7.elf	Get hash	malicious	Mirai	Browse	159.180.12.20
	xd.mips.elf	Get hash	malicious	Mirai	Browse	163.159.107.112
	nabx86.elf	Get hash	malicious	Unknown	Browse	163.159.77.51
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	163.159.104.24
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	163.158.223.243
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	163.159.12.150
WESTNET-AS-APWestnetInternetServicesAU	6.elf	Get hash	malicious	Unknown	Browse	58.6.150.64
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	202.72.179.118
	elitebotnet.arm5.elf	Get hash	malicious	Mirai, Okiru	Browse	202.173.131.6
	sh4.elf	Get hash	malicious	Mirai	Browse	202.173.131.4
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	202.173.131.5
	na.elf	Get hash	malicious	Mirai	Browse	202.72.153.69
	pur361ECCi.elf	Get hash	malicious	Mirai	Browse	58.6.198.48
	92.249.48.47-skid.ppc-2024-07-20T09_04_20.elf	Get hash	malicious	Mirai, Moobot	Browse	58.6.149.97
	VrTXQBQPLv.elf	Get hash	malicious	Mirai	Browse	58.6.198.23
	Ns1xkTsDQO.elf	Get hash	malicious	Mirai	Browse	202.72.153.60
BSKYB-BROADBAND-ASGB	9kNjKSEUym.dll	Get hash	malicious	Wannacry	Browse	94.12.91.1
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	90.207.146.203
	x86.elf	Get hash	malicious	Unknown	Browse	2.218.141.115
	i486.elf	Get hash	malicious	Unknown	Browse	90.217.19.173
	meth14.elf	Get hash	malicious	Mirai	Browse	2.216.236.49
	sh4.elf	Get hash	malicious	Unknown	Browse	176.254.67.238
	elitebotnet.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	176.26.210.220
	elitebotnet.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	78.86.224.209
	elitebotnet.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	94.194.149.73
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	176.254.218.204

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	4.48308667683592
Encrypted:	false
SSDEEP:	12288:ntgQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFGeXE3Tb:tgQhfdmMSirYbcMNgef0QeQjG/
MD5:	ED22CE8D03352290D9AE3C16F226775F
SHA1:	7D3CBF9CE6F11F583D6FAB85652BE8DEED186D7F
SHA-256:	0803D5ABAA188C990F4F9731E292D405A3B83835847235523DE4D1597A548746
SHA-512:	53D1D819C25ECC91E239F47B099A88F621B67F1B51CBC74F9E825D64A6CD1E6851C821DEAD2B06BC68F5C50E58EAF608330DDC61F8C68A320EF95539CD3B0F05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	4.48308667683592
Encrypted:	false
SSDEEP:	12288:ntgQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFGeXE3Tb:tgQhfdmMSirYbcMNgef0QeQjG/
MD5:	ED22CE8D03352290D9AE3C16F226775F
SHA1:	7D3CBF9CE6F11F583D6FAB85652BE8DEED186D7F
SHA-256:	0803D5ABAA188C990F4F9731E292D405A3B83835847235523DE4D1597A548746
SHA-512:	53D1D819C25ECC91E239F47B099A88F621B67F1B51CBC74F9E825D64A6CD1E6851C821DEAD2B06BC68F5C50E58EAF608330DDC61F8C68A320EF95539CD3B0F05
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.3164240424143285
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	V01vdyUACe.dll
File size:	5'267'459 bytes
MD5:	99d5af136c5d863d5ba4cd5c964c9122
SHA1:	021776b034251555f25ace43b1061a444d5ba906
SHA256:	893065e33bb4a2fa7597da335fecd52a0f098383186482478f0300c40e3be739
SHA512:	897a05d09e722abab0e5b0de0bf7212701ef43cd3e062302bd3a729d692b28b4e35405f23f7bdbd0fbbc9df27c25564a33b538ae56e43b05e6a3f01e1ea66231
SSDEEP:	12288:yvbLgPluCtgQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEy:SbLgdrgQhfdmMSirYbcMNgef0QeQjG/
TLSH:	BB36239975AC90F8D10A63B5B4778A26A2B37C9E31BD970F9B9087610C03790BF64F53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FE2C485D9FBh
cmp dword ptr [10003140h], 00000000h
jmp 00007FE2C485DA18h
cmp esi, 01h
je 00007FE2C485D9F7h
cmp esi, 02h
jne 00007FE2C485DA14h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FE2C485D9FBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FE2C485D9FEh
push edi
push esi
push ebx
call 00007FE2C485D90Ah
test eax, eax
jne 00007FE2C485D9F6h
xor eax, eax
jmp 00007FE2C485DA40h
push edi
push esi
push ebx
call 00007FE2C485D7BCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FE2C485D9FEh
test eax, eax
jne 00007FE2C485DA29h
push edi
push eax
push ebx
call 00007FE2C485D8E6h
test esi, esi
je 00007FE2C485D9F7h
cmp esi, 03h
jne 00007FE2C485DA18h
push edi
push esi
push ebx
call 00007FE2C485D8D5h
test eax, eax
jne 00007FE2C485D9F5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FE2C485DA03h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FE2C485D9FAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	84a674cf85b17b4f109730288a595875	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8783693313598633

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T03:04:47.643513+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.4	55668	1.1.1.1	53	UDP
2025-01-15T03:04:48.582698+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49732	103.224.212.215	80	TCP
2025-01-15T03:04:50.516076+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49734	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 03:04:42.812556982 CET	49675	443	192.168.2.4	173.222.162.32
Jan 15, 2025 03:04:47.968579054 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:47.974178076 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:47.974309921 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:47.974740982 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:47.980319023 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:48.582285881 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:48.582633018 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:48.582698107 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:48.582698107 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:48.586515903 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:48.591418982 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:48.772672892 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:48.777609110 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:48.777686119 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:48.777930021 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:48.782771111 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:49.271224022 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:49.271244049 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:49.271284103 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:49.271320105 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:49.319520950 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:49.319540977 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:49.850689888 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:49.855612993 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:49.856250048 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:49.856250048 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:49.861090899 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:49.908143997 CET	443	49730	173.222.162.32	192.168.2.4
Jan 15, 2025 03:04:49.908232927 CET	49730	443	192.168.2.4	173.222.162.32
Jan 15, 2025 03:04:50.516004086 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:50.516076088 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:50.516083002 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:50.516196966 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:50.519172907 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:50.520064116 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:50.523217916 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:50.524060965 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:50.524604082 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:50.524604082 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:50.524863958 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:50.528073072 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:50.528126955 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:50.528528929 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:50.529508114 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:50.533407927 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.859368086 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.859385014 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.859461069 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.859576941 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.859576941 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.859651089 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:51.859659910 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:51.859668970 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:51.859839916 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:51.859839916 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:51.860030890 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.860227108 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.860321045 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:51.860359907 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:51.860460997 CET	80	49736	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.860506058 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:51.860591888 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.860593081 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:51.867327929 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.867327929 CET	49736	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.880352974 CET	49735	80	192.168.2.4	103.224.212.215
Jan 15, 2025 03:04:51.885200977 CET	80	49735	103.224.212.215	192.168.2.4
Jan 15, 2025 03:04:51.890871048 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.895720959 CET	80	49737	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.895854950 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.896326065 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:51.901096106 CET	80	49737	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:51.947724104 CET	49738	445	192.168.2.4	183.50.126.77
Jan 15, 2025 03:04:51.952605009 CET	445	49738	183.50.126.77	192.168.2.4
Jan 15, 2025 03:04:51.952668905 CET	49738	445	192.168.2.4	183.50.126.77
Jan 15, 2025 03:04:51.952718019 CET	49738	445	192.168.2.4	183.50.126.77
Jan 15, 2025 03:04:51.957613945 CET	445	49738	183.50.126.77	192.168.2.4
Jan 15, 2025 03:04:51.957659960 CET	49738	445	192.168.2.4	183.50.126.77
Jan 15, 2025 03:04:51.965727091 CET	49739	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.970534086 CET	445	49739	183.50.126.1	192.168.2.4
Jan 15, 2025 03:04:51.970594883 CET	49739	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.971199036 CET	49739	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.973762035 CET	49740	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.975965023 CET	445	49739	183.50.126.1	192.168.2.4
Jan 15, 2025 03:04:51.976011038 CET	49739	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.978506088 CET	445	49740	183.50.126.1	192.168.2.4
Jan 15, 2025 03:04:51.978560925 CET	49740	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.978595018 CET	49740	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:04:51.983350039 CET	445	49740	183.50.126.1	192.168.2.4
Jan 15, 2025 03:04:52.354362965 CET	80	49737	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:52.354386091 CET	80	49737	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:52.354587078 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:52.354588032 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:52.373532057 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:52.373532057 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:52.381161928 CET	80	49737	199.59.243.228	192.168.2.4
Jan 15, 2025 03:04:52.381513119 CET	49737	80	192.168.2.4	199.59.243.228
Jan 15, 2025 03:04:53.875516891 CET	49730	443	192.168.2.4	173.222.162.32
Jan 15, 2025 03:04:53.880315065 CET	443	49730	173.222.162.32	192.168.2.4
Jan 15, 2025 03:04:53.939501047 CET	49764	445	192.168.2.4	207.109.181.171
Jan 15, 2025 03:04:53.944283009 CET	445	49764	207.109.181.171	192.168.2.4
Jan 15, 2025 03:04:53.944360018 CET	49764	445	192.168.2.4	207.109.181.171
Jan 15, 2025 03:04:53.944412947 CET	49764	445	192.168.2.4	207.109.181.171
Jan 15, 2025 03:04:53.944927931 CET	49765	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.949249029 CET	445	49764	207.109.181.171	192.168.2.4
Jan 15, 2025 03:04:53.949320078 CET	49764	445	192.168.2.4	207.109.181.171
Jan 15, 2025 03:04:53.949680090 CET	445	49765	207.109.181.1	192.168.2.4
Jan 15, 2025 03:04:53.949737072 CET	49765	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.949796915 CET	49765	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.950814962 CET	49766	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.954725981 CET	445	49765	207.109.181.1	192.168.2.4
Jan 15, 2025 03:04:53.954766989 CET	49765	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.955573082 CET	445	49766	207.109.181.1	192.168.2.4
Jan 15, 2025 03:04:53.955626011 CET	49766	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.955662966 CET	49766	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:04:53.960436106 CET	445	49766	207.109.181.1	192.168.2.4
Jan 15, 2025 03:04:55.955368996 CET	49791	445	192.168.2.4	43.87.172.73
Jan 15, 2025 03:04:55.964693069 CET	445	49791	43.87.172.73	192.168.2.4
Jan 15, 2025 03:04:55.964766979 CET	49791	445	192.168.2.4	43.87.172.73
Jan 15, 2025 03:04:55.964864969 CET	49791	445	192.168.2.4	43.87.172.73
Jan 15, 2025 03:04:55.965061903 CET	49792	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.972028017 CET	445	49792	43.87.172.1	192.168.2.4
Jan 15, 2025 03:04:55.972059965 CET	445	49791	43.87.172.73	192.168.2.4
Jan 15, 2025 03:04:55.972100019 CET	49792	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.972114086 CET	49791	445	192.168.2.4	43.87.172.73
Jan 15, 2025 03:04:55.972220898 CET	49792	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.973352909 CET	49793	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.977216959 CET	445	49792	43.87.172.1	192.168.2.4
Jan 15, 2025 03:04:55.977274895 CET	49792	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.978137970 CET	445	49793	43.87.172.1	192.168.2.4
Jan 15, 2025 03:04:55.978193998 CET	49793	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.978256941 CET	49793	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:04:55.983014107 CET	445	49793	43.87.172.1	192.168.2.4
Jan 15, 2025 03:04:58.008662939 CET	49814	445	192.168.2.4	86.128.111.108
Jan 15, 2025 03:04:58.013776064 CET	445	49814	86.128.111.108	192.168.2.4
Jan 15, 2025 03:04:58.019162893 CET	49814	445	192.168.2.4	86.128.111.108
Jan 15, 2025 03:04:58.019582987 CET	49814	445	192.168.2.4	86.128.111.108
Jan 15, 2025 03:04:58.019829035 CET	49815	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.024558067 CET	445	49814	86.128.111.108	192.168.2.4
Jan 15, 2025 03:04:58.024646044 CET	445	49815	86.128.111.1	192.168.2.4
Jan 15, 2025 03:04:58.024696112 CET	49814	445	192.168.2.4	86.128.111.108
Jan 15, 2025 03:04:58.024735928 CET	49815	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.025907993 CET	49815	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.030781031 CET	445	49815	86.128.111.1	192.168.2.4
Jan 15, 2025 03:04:58.030889034 CET	49815	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.033130884 CET	49816	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.037925959 CET	445	49816	86.128.111.1	192.168.2.4
Jan 15, 2025 03:04:58.038116932 CET	49816	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.038259029 CET	49816	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:04:58.043040037 CET	445	49816	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:00.010895967 CET	49838	445	192.168.2.4	221.48.37.144
Jan 15, 2025 03:05:00.015892029 CET	445	49838	221.48.37.144	192.168.2.4
Jan 15, 2025 03:05:00.015971899 CET	49838	445	192.168.2.4	221.48.37.144
Jan 15, 2025 03:05:00.032730103 CET	49838	445	192.168.2.4	221.48.37.144
Jan 15, 2025 03:05:00.037560940 CET	445	49838	221.48.37.144	192.168.2.4
Jan 15, 2025 03:05:00.039134026 CET	49838	445	192.168.2.4	221.48.37.144
Jan 15, 2025 03:05:00.045986891 CET	49839	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.050870895 CET	445	49839	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:00.050925016 CET	49839	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.051100016 CET	49839	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.052479029 CET	49841	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.056204081 CET	445	49839	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:00.056255102 CET	49839	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.057534933 CET	445	49841	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:00.057591915 CET	49841	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.057703972 CET	49841	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:00.062453032 CET	445	49841	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:02.016968966 CET	49864	445	192.168.2.4	45.97.165.121
Jan 15, 2025 03:05:02.021843910 CET	445	49864	45.97.165.121	192.168.2.4
Jan 15, 2025 03:05:02.021950006 CET	49864	445	192.168.2.4	45.97.165.121
Jan 15, 2025 03:05:02.022051096 CET	49864	445	192.168.2.4	45.97.165.121
Jan 15, 2025 03:05:02.022376060 CET	49865	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.026890039 CET	445	49864	45.97.165.121	192.168.2.4
Jan 15, 2025 03:05:02.026967049 CET	49864	445	192.168.2.4	45.97.165.121
Jan 15, 2025 03:05:02.027235985 CET	445	49865	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:02.027297020 CET	49865	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.027331114 CET	49865	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.028352022 CET	49866	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.032224894 CET	445	49865	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:02.032413006 CET	49865	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.033137083 CET	445	49866	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:02.033242941 CET	49866	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.033399105 CET	49866	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:02.038198948 CET	445	49866	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:04.031687021 CET	49888	445	192.168.2.4	155.195.218.76
Jan 15, 2025 03:05:04.039064884 CET	445	49888	155.195.218.76	192.168.2.4
Jan 15, 2025 03:05:04.039144039 CET	49888	445	192.168.2.4	155.195.218.76
Jan 15, 2025 03:05:04.039176941 CET	49888	445	192.168.2.4	155.195.218.76
Jan 15, 2025 03:05:04.039360046 CET	49889	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.045522928 CET	445	49888	155.195.218.76	192.168.2.4
Jan 15, 2025 03:05:04.045576096 CET	49888	445	192.168.2.4	155.195.218.76
Jan 15, 2025 03:05:04.045900106 CET	445	49889	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:04.045949936 CET	49889	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.045977116 CET	49889	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.046211004 CET	49890	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.052421093 CET	445	49889	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:04.052472115 CET	49889	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.052772999 CET	445	49890	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:04.052841902 CET	49890	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.052880049 CET	49890	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:04.059137106 CET	445	49890	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:06.047408104 CET	49913	445	192.168.2.4	35.65.202.214
Jan 15, 2025 03:05:06.052249908 CET	445	49913	35.65.202.214	192.168.2.4
Jan 15, 2025 03:05:06.052417994 CET	49913	445	192.168.2.4	35.65.202.214
Jan 15, 2025 03:05:06.052526951 CET	49914	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.052529097 CET	49913	445	192.168.2.4	35.65.202.214
Jan 15, 2025 03:05:06.057360888 CET	445	49914	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:06.057399035 CET	445	49913	35.65.202.214	192.168.2.4
Jan 15, 2025 03:05:06.057455063 CET	49914	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.057486057 CET	49913	445	192.168.2.4	35.65.202.214
Jan 15, 2025 03:05:06.057501078 CET	49914	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.057920933 CET	49915	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.062459946 CET	445	49914	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:06.062552929 CET	49914	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.062776089 CET	445	49915	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:06.062839985 CET	49915	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.062886953 CET	49915	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:06.067634106 CET	445	49915	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:08.063244104 CET	49937	445	192.168.2.4	199.24.168.198
Jan 15, 2025 03:05:08.068151951 CET	445	49937	199.24.168.198	192.168.2.4
Jan 15, 2025 03:05:08.068253040 CET	49937	445	192.168.2.4	199.24.168.198
Jan 15, 2025 03:05:08.068322897 CET	49937	445	192.168.2.4	199.24.168.198
Jan 15, 2025 03:05:08.068461895 CET	49938	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.073322058 CET	445	49938	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:08.073379040 CET	445	49937	199.24.168.198	192.168.2.4
Jan 15, 2025 03:05:08.073401928 CET	49938	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.073424101 CET	49938	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.073719978 CET	49939	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.073719978 CET	49937	445	192.168.2.4	199.24.168.198
Jan 15, 2025 03:05:08.078438044 CET	445	49938	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:08.078491926 CET	49938	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.078572035 CET	445	49939	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:08.078638077 CET	49939	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.078674078 CET	49939	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:08.083528996 CET	445	49939	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:10.078564882 CET	49962	445	192.168.2.4	78.189.127.38
Jan 15, 2025 03:05:10.084469080 CET	445	49962	78.189.127.38	192.168.2.4
Jan 15, 2025 03:05:10.084543943 CET	49962	445	192.168.2.4	78.189.127.38
Jan 15, 2025 03:05:10.084557056 CET	49962	445	192.168.2.4	78.189.127.38
Jan 15, 2025 03:05:10.084784985 CET	49963	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.090490103 CET	445	49963	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:10.090575933 CET	49963	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.090598106 CET	49963	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.090662956 CET	445	49962	78.189.127.38	192.168.2.4
Jan 15, 2025 03:05:10.090704918 CET	49962	445	192.168.2.4	78.189.127.38
Jan 15, 2025 03:05:10.090918064 CET	49964	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.095412970 CET	445	49963	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:10.095532894 CET	49963	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.095693111 CET	445	49964	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:10.095757008 CET	49964	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.095776081 CET	49964	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:10.102191925 CET	445	49964	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:12.095835924 CET	49986	445	192.168.2.4	12.102.136.164
Jan 15, 2025 03:05:12.101012945 CET	445	49986	12.102.136.164	192.168.2.4
Jan 15, 2025 03:05:12.101083994 CET	49986	445	192.168.2.4	12.102.136.164
Jan 15, 2025 03:05:12.101154089 CET	49986	445	192.168.2.4	12.102.136.164
Jan 15, 2025 03:05:12.101284981 CET	49988	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.106040001 CET	445	49986	12.102.136.164	192.168.2.4
Jan 15, 2025 03:05:12.106086969 CET	49986	445	192.168.2.4	12.102.136.164
Jan 15, 2025 03:05:12.106091022 CET	445	49988	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:12.106156111 CET	49988	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.106215954 CET	49988	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.106518030 CET	49989	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.111072063 CET	445	49988	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:12.111109018 CET	49988	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.111325979 CET	445	49989	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:12.111387014 CET	49989	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.116489887 CET	49989	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:12.121289968 CET	445	49989	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:13.360487938 CET	445	49740	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:13.360574961 CET	49740	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:13.360656977 CET	49740	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:13.360729933 CET	49740	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:13.365398884 CET	445	49740	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:13.365535975 CET	445	49740	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:14.110383987 CET	50008	445	192.168.2.4	122.116.214.234
Jan 15, 2025 03:05:14.115187883 CET	445	50008	122.116.214.234	192.168.2.4
Jan 15, 2025 03:05:14.115299940 CET	50008	445	192.168.2.4	122.116.214.234
Jan 15, 2025 03:05:14.115441084 CET	50008	445	192.168.2.4	122.116.214.234
Jan 15, 2025 03:05:14.115689993 CET	50009	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.120661020 CET	445	50009	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:14.120781898 CET	50009	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.120809078 CET	445	50008	122.116.214.234	192.168.2.4
Jan 15, 2025 03:05:14.120873928 CET	50009	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.120872974 CET	50008	445	192.168.2.4	122.116.214.234
Jan 15, 2025 03:05:14.121118069 CET	50010	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.126092911 CET	445	50009	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:14.126152039 CET	50009	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.126498938 CET	445	50010	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:14.126557112 CET	50010	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.126576900 CET	50010	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:14.131345987 CET	445	50010	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:15.326872110 CET	445	49766	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:15.327126026 CET	49766	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:15.327126026 CET	49766	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:15.327171087 CET	49766	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:15.331952095 CET	445	49766	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:15.331963062 CET	445	49766	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:16.125658035 CET	50031	445	192.168.2.4	159.10.241.30
Jan 15, 2025 03:05:16.130486012 CET	445	50031	159.10.241.30	192.168.2.4
Jan 15, 2025 03:05:16.130611897 CET	50031	445	192.168.2.4	159.10.241.30
Jan 15, 2025 03:05:16.130650997 CET	50031	445	192.168.2.4	159.10.241.30
Jan 15, 2025 03:05:16.130989075 CET	50032	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.135606050 CET	445	50031	159.10.241.30	192.168.2.4
Jan 15, 2025 03:05:16.135664940 CET	50031	445	192.168.2.4	159.10.241.30
Jan 15, 2025 03:05:16.135930061 CET	445	50032	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:16.136009932 CET	50032	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.136009932 CET	50032	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.136303902 CET	50033	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.140980959 CET	445	50032	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:16.141041040 CET	50032	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.141130924 CET	445	50033	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:16.141191959 CET	50033	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.141222000 CET	50033	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:16.145975113 CET	445	50033	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:16.375727892 CET	50038	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:16.380561113 CET	445	50038	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:16.380665064 CET	50038	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:16.380753040 CET	50038	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:16.385593891 CET	445	50038	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:17.323163986 CET	445	49793	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:17.323328972 CET	49793	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:17.323472977 CET	49793	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:17.323472977 CET	49793	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:17.328279018 CET	445	49793	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:17.328289032 CET	445	49793	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:18.141184092 CET	50040	445	192.168.2.4	148.155.59.221
Jan 15, 2025 03:05:18.146157026 CET	445	50040	148.155.59.221	192.168.2.4
Jan 15, 2025 03:05:18.146241903 CET	50040	445	192.168.2.4	148.155.59.221
Jan 15, 2025 03:05:18.146265984 CET	50040	445	192.168.2.4	148.155.59.221
Jan 15, 2025 03:05:18.146373987 CET	50041	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.151201010 CET	445	50041	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:18.151258945 CET	50041	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.151278019 CET	50041	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.151304007 CET	445	50040	148.155.59.221	192.168.2.4
Jan 15, 2025 03:05:18.151352882 CET	50040	445	192.168.2.4	148.155.59.221
Jan 15, 2025 03:05:18.151585102 CET	50042	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.156266928 CET	445	50041	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:18.156331062 CET	50041	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.156460047 CET	445	50042	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:18.156521082 CET	50042	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.156558037 CET	50042	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:18.161379099 CET	445	50042	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:18.328696012 CET	50043	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:18.333548069 CET	445	50043	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:18.333647966 CET	50043	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:18.333735943 CET	50043	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:18.338536978 CET	445	50043	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:19.418299913 CET	445	49816	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:19.418431044 CET	49816	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:19.418587923 CET	49816	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:19.418658972 CET	49816	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:19.423727989 CET	445	49816	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:19.424230099 CET	445	49816	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:20.157040119 CET	50044	445	192.168.2.4	202.72.145.95
Jan 15, 2025 03:05:20.162033081 CET	445	50044	202.72.145.95	192.168.2.4
Jan 15, 2025 03:05:20.162159920 CET	50044	445	192.168.2.4	202.72.145.95
Jan 15, 2025 03:05:20.162203074 CET	50044	445	192.168.2.4	202.72.145.95
Jan 15, 2025 03:05:20.162420034 CET	50045	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.168437004 CET	445	50045	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:20.168584108 CET	50045	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.168607950 CET	50045	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.168622017 CET	445	50044	202.72.145.95	192.168.2.4
Jan 15, 2025 03:05:20.168684959 CET	50044	445	192.168.2.4	202.72.145.95
Jan 15, 2025 03:05:20.169070959 CET	50046	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.175008059 CET	445	50045	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:20.175081015 CET	50045	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.176147938 CET	445	50046	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:20.176234007 CET	50046	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.176337004 CET	50046	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:20.183058977 CET	445	50046	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:20.328622103 CET	50047	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:20.333796978 CET	445	50047	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:20.333880901 CET	50047	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:20.333951950 CET	50047	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:20.338781118 CET	445	50047	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:21.417849064 CET	445	49841	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:21.418035030 CET	49841	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:21.418126106 CET	49841	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:21.418201923 CET	49841	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:21.422943115 CET	445	49841	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:21.423118114 CET	445	49841	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:22.172329903 CET	50048	445	192.168.2.4	182.88.71.181
Jan 15, 2025 03:05:22.177160978 CET	445	50048	182.88.71.181	192.168.2.4
Jan 15, 2025 03:05:22.177234888 CET	50048	445	192.168.2.4	182.88.71.181
Jan 15, 2025 03:05:22.177277088 CET	50048	445	192.168.2.4	182.88.71.181
Jan 15, 2025 03:05:22.177417994 CET	50049	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.182143927 CET	445	50048	182.88.71.181	192.168.2.4
Jan 15, 2025 03:05:22.182188988 CET	445	50049	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:22.182195902 CET	50048	445	192.168.2.4	182.88.71.181
Jan 15, 2025 03:05:22.182245970 CET	50049	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.182300091 CET	50049	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.182548046 CET	50050	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.187199116 CET	445	50049	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:22.187237978 CET	50049	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.187380075 CET	445	50050	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:22.187428951 CET	50050	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.187463045 CET	50050	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:22.192234993 CET	445	50050	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:22.422472000 CET	50051	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:22.427337885 CET	445	50051	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:22.427429914 CET	50051	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:22.427521944 CET	50051	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:22.432477951 CET	445	50051	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:23.386162996 CET	445	49866	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:23.386353016 CET	49866	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:23.388283014 CET	49866	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:23.388350010 CET	49866	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:23.393625975 CET	445	49866	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:23.393964052 CET	445	49866	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:24.188280106 CET	50052	445	192.168.2.4	8.6.76.80
Jan 15, 2025 03:05:24.193258047 CET	445	50052	8.6.76.80	192.168.2.4
Jan 15, 2025 03:05:24.193315983 CET	50052	445	192.168.2.4	8.6.76.80
Jan 15, 2025 03:05:24.193339109 CET	50052	445	192.168.2.4	8.6.76.80
Jan 15, 2025 03:05:24.193471909 CET	50053	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.198307037 CET	445	50052	8.6.76.80	192.168.2.4
Jan 15, 2025 03:05:24.198318958 CET	445	50053	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:24.198374033 CET	50052	445	192.168.2.4	8.6.76.80
Jan 15, 2025 03:05:24.198407888 CET	50053	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.198479891 CET	50053	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.198827982 CET	50054	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.203442097 CET	445	50053	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:24.203485012 CET	50053	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.203614950 CET	445	50054	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:24.203660011 CET	50054	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.203691006 CET	50054	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:24.208466053 CET	445	50054	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:24.422945023 CET	50055	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:24.427738905 CET	445	50055	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:24.427807093 CET	50055	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:24.430119991 CET	50055	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:24.434912920 CET	445	50055	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:25.417581081 CET	445	49890	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:25.417932034 CET	49890	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:25.417932034 CET	49890	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:25.417932034 CET	49890	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:25.422837019 CET	445	49890	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:25.422847986 CET	445	49890	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:26.206610918 CET	50056	445	192.168.2.4	202.14.161.67
Jan 15, 2025 03:05:26.211534977 CET	445	50056	202.14.161.67	192.168.2.4
Jan 15, 2025 03:05:26.211627007 CET	50056	445	192.168.2.4	202.14.161.67
Jan 15, 2025 03:05:26.242398024 CET	50056	445	192.168.2.4	202.14.161.67
Jan 15, 2025 03:05:26.242652893 CET	50057	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.247225046 CET	445	50056	202.14.161.67	192.168.2.4
Jan 15, 2025 03:05:26.247318983 CET	50056	445	192.168.2.4	202.14.161.67
Jan 15, 2025 03:05:26.247651100 CET	445	50057	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:26.247725964 CET	50057	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.248719931 CET	50057	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.249114990 CET	50058	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.253499031 CET	445	50057	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:26.253575087 CET	50057	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.253878117 CET	445	50058	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:26.253943920 CET	50058	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.263511896 CET	50058	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:26.268302917 CET	445	50058	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:26.392508030 CET	50059	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:26.399645090 CET	445	50059	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:26.399744987 CET	50059	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:26.399816036 CET	50059	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:26.406573057 CET	445	50059	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:27.437100887 CET	445	49915	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:27.437203884 CET	49915	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:27.437295914 CET	49915	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:27.437351942 CET	49915	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:27.442131042 CET	445	49915	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:27.442147017 CET	445	49915	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:28.078924894 CET	50060	445	192.168.2.4	48.68.228.108
Jan 15, 2025 03:05:28.084548950 CET	445	50060	48.68.228.108	192.168.2.4
Jan 15, 2025 03:05:28.084731102 CET	50060	445	192.168.2.4	48.68.228.108
Jan 15, 2025 03:05:28.084731102 CET	50060	445	192.168.2.4	48.68.228.108
Jan 15, 2025 03:05:28.084939003 CET	50061	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.089759111 CET	445	50061	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:28.089838028 CET	50061	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.089871883 CET	50061	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.090109110 CET	50062	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.106374979 CET	445	50060	48.68.228.108	192.168.2.4
Jan 15, 2025 03:05:28.106623888 CET	50060	445	192.168.2.4	48.68.228.108
Jan 15, 2025 03:05:28.106678963 CET	445	50062	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:28.106750965 CET	50062	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.106811047 CET	50062	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.109850883 CET	445	50061	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:28.109921932 CET	50061	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:28.111516953 CET	445	50062	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:28.422302008 CET	50063	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:28.427104950 CET	445	50063	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:28.427248001 CET	50063	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:28.427292109 CET	50063	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:28.432043076 CET	445	50063	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:29.464417934 CET	445	49939	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:29.464684963 CET	49939	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:29.464773893 CET	49939	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:29.464831114 CET	49939	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:29.469594002 CET	445	49939	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:29.469604969 CET	445	49939	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:29.828763962 CET	50064	445	192.168.2.4	2.126.104.124
Jan 15, 2025 03:05:29.833600998 CET	445	50064	2.126.104.124	192.168.2.4
Jan 15, 2025 03:05:29.833690882 CET	50064	445	192.168.2.4	2.126.104.124
Jan 15, 2025 03:05:29.833708048 CET	50064	445	192.168.2.4	2.126.104.124
Jan 15, 2025 03:05:29.833870888 CET	50065	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.838880062 CET	445	50065	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:29.838947058 CET	50065	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.838999987 CET	445	50064	2.126.104.124	192.168.2.4
Jan 15, 2025 03:05:29.839021921 CET	50065	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.839042902 CET	50064	445	192.168.2.4	2.126.104.124
Jan 15, 2025 03:05:29.839323044 CET	50066	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.843921900 CET	445	50065	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:29.843976021 CET	50065	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.844218969 CET	445	50066	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:29.844281912 CET	50066	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.844319105 CET	50066	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:29.849144936 CET	445	50066	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:30.437823057 CET	50067	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:30.442661047 CET	445	50067	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:30.442751884 CET	50067	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:30.442783117 CET	50067	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:30.447660923 CET	445	50067	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:31.469965935 CET	50068	445	192.168.2.4	191.37.254.57
Jan 15, 2025 03:05:31.475425005 CET	445	50068	191.37.254.57	192.168.2.4
Jan 15, 2025 03:05:31.475490093 CET	50068	445	192.168.2.4	191.37.254.57
Jan 15, 2025 03:05:31.475573063 CET	50068	445	192.168.2.4	191.37.254.57
Jan 15, 2025 03:05:31.475776911 CET	50069	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.480405092 CET	445	50068	191.37.254.57	192.168.2.4
Jan 15, 2025 03:05:31.480448008 CET	50068	445	192.168.2.4	191.37.254.57
Jan 15, 2025 03:05:31.480601072 CET	445	50069	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:31.480659962 CET	50069	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.480850935 CET	50069	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.481379032 CET	50070	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.485692978 CET	445	50069	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:31.485743999 CET	50069	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.486135006 CET	445	50070	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:31.486183882 CET	50070	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.486223936 CET	50070	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:31.491031885 CET	445	50070	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:31.496793032 CET	445	49964	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:31.496849060 CET	49964	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:31.496889114 CET	49964	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:31.497018099 CET	49964	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:31.501590967 CET	445	49964	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:31.501723051 CET	445	49964	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:32.469276905 CET	50071	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:32.474277973 CET	445	50071	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:32.474361897 CET	50071	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:32.474405050 CET	50071	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:32.479249954 CET	445	50071	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:33.000719070 CET	50072	445	192.168.2.4	77.27.163.46
Jan 15, 2025 03:05:33.005578041 CET	445	50072	77.27.163.46	192.168.2.4
Jan 15, 2025 03:05:33.005700111 CET	50072	445	192.168.2.4	77.27.163.46
Jan 15, 2025 03:05:33.005731106 CET	50072	445	192.168.2.4	77.27.163.46
Jan 15, 2025 03:05:33.005948067 CET	50073	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.010674000 CET	445	50073	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:33.010745049 CET	50073	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.010762930 CET	50073	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.010783911 CET	445	50072	77.27.163.46	192.168.2.4
Jan 15, 2025 03:05:33.010826111 CET	50072	445	192.168.2.4	77.27.163.46
Jan 15, 2025 03:05:33.011075020 CET	50074	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.015904903 CET	445	50074	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:33.015961885 CET	50074	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.015985966 CET	50074	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.016024113 CET	445	50073	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:33.016062975 CET	50073	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:33.020735025 CET	445	50074	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:33.499669075 CET	445	49989	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:33.499839067 CET	49989	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:33.499839067 CET	49989	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:33.499839067 CET	49989	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:33.504664898 CET	445	49989	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:33.504678011 CET	445	49989	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:34.422920942 CET	50075	445	192.168.2.4	38.133.158.54
Jan 15, 2025 03:05:34.429343939 CET	445	50075	38.133.158.54	192.168.2.4
Jan 15, 2025 03:05:34.429461956 CET	50075	445	192.168.2.4	38.133.158.54
Jan 15, 2025 03:05:34.431149006 CET	50075	445	192.168.2.4	38.133.158.54
Jan 15, 2025 03:05:34.431391001 CET	50076	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.437582016 CET	445	50076	38.133.158.1	192.168.2.4
Jan 15, 2025 03:05:34.437606096 CET	445	50075	38.133.158.54	192.168.2.4
Jan 15, 2025 03:05:34.437668085 CET	50076	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.437684059 CET	50075	445	192.168.2.4	38.133.158.54
Jan 15, 2025 03:05:34.437836885 CET	50076	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.438216925 CET	50077	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.443036079 CET	445	50077	38.133.158.1	192.168.2.4
Jan 15, 2025 03:05:34.443092108 CET	50077	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.443123102 CET	50077	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.443172932 CET	445	50076	38.133.158.1	192.168.2.4
Jan 15, 2025 03:05:34.443242073 CET	50076	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:34.448131084 CET	445	50077	38.133.158.1	192.168.2.4
Jan 15, 2025 03:05:34.500340939 CET	50078	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:34.506623983 CET	445	50078	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:34.506736040 CET	50078	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:34.506772041 CET	50078	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:34.513712883 CET	445	50078	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:35.517131090 CET	445	50010	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:35.517191887 CET	50010	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:35.517225981 CET	50010	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:35.517267942 CET	50010	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:35.522123098 CET	445	50010	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:35.522135019 CET	445	50010	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:35.750935078 CET	50080	445	192.168.2.4	163.159.85.24
Jan 15, 2025 03:05:35.757911921 CET	445	50080	163.159.85.24	192.168.2.4
Jan 15, 2025 03:05:35.757982969 CET	50080	445	192.168.2.4	163.159.85.24
Jan 15, 2025 03:05:35.758049965 CET	50080	445	192.168.2.4	163.159.85.24
Jan 15, 2025 03:05:35.758210897 CET	50081	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.764661074 CET	445	50081	163.159.85.1	192.168.2.4
Jan 15, 2025 03:05:35.764733076 CET	50081	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.764759064 CET	445	50080	163.159.85.24	192.168.2.4
Jan 15, 2025 03:05:35.764811039 CET	50080	445	192.168.2.4	163.159.85.24
Jan 15, 2025 03:05:35.764816046 CET	50081	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.765127897 CET	50082	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.771857023 CET	445	50081	163.159.85.1	192.168.2.4
Jan 15, 2025 03:05:35.771939993 CET	50081	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.772249937 CET	445	50082	163.159.85.1	192.168.2.4
Jan 15, 2025 03:05:35.772316933 CET	50082	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.772358894 CET	50082	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:35.778664112 CET	445	50082	163.159.85.1	192.168.2.4
Jan 15, 2025 03:05:36.501132965 CET	50088	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:36.505983114 CET	445	50088	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:36.506045103 CET	50088	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:36.508433104 CET	50088	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:36.513360977 CET	445	50088	12.102.136.1	192.168.2.4
Jan 15, 2025 03:05:37.000562906 CET	50089	445	192.168.2.4	180.199.173.218
Jan 15, 2025 03:05:37.005507946 CET	445	50089	180.199.173.218	192.168.2.4
Jan 15, 2025 03:05:37.005587101 CET	50089	445	192.168.2.4	180.199.173.218
Jan 15, 2025 03:05:37.005696058 CET	50089	445	192.168.2.4	180.199.173.218
Jan 15, 2025 03:05:37.005844116 CET	50090	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.010581017 CET	445	50089	180.199.173.218	192.168.2.4
Jan 15, 2025 03:05:37.010592937 CET	445	50090	180.199.173.1	192.168.2.4
Jan 15, 2025 03:05:37.010632038 CET	50089	445	192.168.2.4	180.199.173.218
Jan 15, 2025 03:05:37.010668993 CET	50090	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.010756016 CET	50090	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.010996103 CET	50091	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.015650034 CET	445	50090	180.199.173.1	192.168.2.4
Jan 15, 2025 03:05:37.015712023 CET	50090	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.015870094 CET	445	50091	180.199.173.1	192.168.2.4
Jan 15, 2025 03:05:37.015928030 CET	50091	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.015954018 CET	50091	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:37.020678043 CET	445	50091	180.199.173.1	192.168.2.4
Jan 15, 2025 03:05:37.495872021 CET	445	50033	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:37.495966911 CET	50033	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:37.496006966 CET	50033	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:37.496053934 CET	50033	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:37.502703905 CET	445	50033	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:37.503765106 CET	445	50033	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:37.747545958 CET	445	50038	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:37.747689962 CET	50038	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:37.747730017 CET	50038	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:37.747792959 CET	50038	445	192.168.2.4	183.50.126.1
Jan 15, 2025 03:05:37.752476931 CET	445	50038	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:37.752670050 CET	445	50038	183.50.126.1	192.168.2.4
Jan 15, 2025 03:05:37.812892914 CET	50098	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.819595098 CET	445	50098	183.50.126.2	192.168.2.4
Jan 15, 2025 03:05:37.819669008 CET	50098	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.819708109 CET	50098	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.819998980 CET	50099	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.826314926 CET	445	50098	183.50.126.2	192.168.2.4
Jan 15, 2025 03:05:37.826368093 CET	50098	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.826556921 CET	445	50099	183.50.126.2	192.168.2.4
Jan 15, 2025 03:05:37.826611996 CET	50099	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.826651096 CET	50099	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:37.833642960 CET	445	50099	183.50.126.2	192.168.2.4
Jan 15, 2025 03:05:38.165278912 CET	50105	445	192.168.2.4	151.171.58.30
Jan 15, 2025 03:05:38.170344114 CET	445	50105	151.171.58.30	192.168.2.4
Jan 15, 2025 03:05:38.171255112 CET	50105	445	192.168.2.4	151.171.58.30
Jan 15, 2025 03:05:38.171334982 CET	50105	445	192.168.2.4	151.171.58.30
Jan 15, 2025 03:05:38.171506882 CET	50106	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.176599979 CET	445	50106	151.171.58.1	192.168.2.4
Jan 15, 2025 03:05:38.176791906 CET	445	50105	151.171.58.30	192.168.2.4
Jan 15, 2025 03:05:38.176881075 CET	50105	445	192.168.2.4	151.171.58.30
Jan 15, 2025 03:05:38.176892042 CET	50106	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.176986933 CET	50106	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.177309036 CET	50107	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.181829929 CET	445	50106	151.171.58.1	192.168.2.4
Jan 15, 2025 03:05:38.182086945 CET	445	50107	151.171.58.1	192.168.2.4
Jan 15, 2025 03:05:38.182151079 CET	50106	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.182182074 CET	50107	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.182229996 CET	50107	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:38.186949968 CET	445	50107	151.171.58.1	192.168.2.4
Jan 15, 2025 03:05:38.531610966 CET	50108	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:38.536477089 CET	445	50108	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:38.536551952 CET	50108	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:38.536591053 CET	50108	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:38.541343927 CET	445	50108	122.116.214.1	192.168.2.4
Jan 15, 2025 03:05:39.248245955 CET	50114	445	192.168.2.4	151.131.117.202
Jan 15, 2025 03:05:39.253050089 CET	445	50114	151.131.117.202	192.168.2.4
Jan 15, 2025 03:05:39.253114939 CET	50114	445	192.168.2.4	151.131.117.202
Jan 15, 2025 03:05:39.253261089 CET	50114	445	192.168.2.4	151.131.117.202
Jan 15, 2025 03:05:39.253417015 CET	50115	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.258107901 CET	445	50114	151.131.117.202	192.168.2.4
Jan 15, 2025 03:05:39.258163929 CET	50114	445	192.168.2.4	151.131.117.202
Jan 15, 2025 03:05:39.258188963 CET	445	50115	151.131.117.1	192.168.2.4
Jan 15, 2025 03:05:39.258249044 CET	50115	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.258295059 CET	50115	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.262170076 CET	50116	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.263176918 CET	445	50115	151.131.117.1	192.168.2.4
Jan 15, 2025 03:05:39.263223886 CET	50115	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.266936064 CET	445	50116	151.131.117.1	192.168.2.4
Jan 15, 2025 03:05:39.267239094 CET	50116	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.269342899 CET	50116	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:39.274207115 CET	445	50116	151.131.117.1	192.168.2.4
Jan 15, 2025 03:05:39.546622038 CET	445	50042	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:39.546681881 CET	50042	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:39.546720982 CET	50042	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:39.546752930 CET	50042	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:39.551598072 CET	445	50042	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:39.551608086 CET	445	50042	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:39.699115992 CET	445	50043	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:39.699228048 CET	50043	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:39.699274063 CET	50043	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:39.699342966 CET	50043	445	192.168.2.4	207.109.181.1
Jan 15, 2025 03:05:39.704154968 CET	445	50043	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:39.704165936 CET	445	50043	207.109.181.1	192.168.2.4
Jan 15, 2025 03:05:39.750478029 CET	50122	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.757555008 CET	445	50122	207.109.181.2	192.168.2.4
Jan 15, 2025 03:05:39.757622957 CET	50122	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.757703066 CET	50122	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.758120060 CET	50123	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.762655973 CET	445	50122	207.109.181.2	192.168.2.4
Jan 15, 2025 03:05:39.762708902 CET	50122	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.763077974 CET	445	50123	207.109.181.2	192.168.2.4
Jan 15, 2025 03:05:39.763161898 CET	50123	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.763161898 CET	50123	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:39.767940044 CET	445	50123	207.109.181.2	192.168.2.4
Jan 15, 2025 03:05:40.266426086 CET	50124	445	192.168.2.4	57.176.241.137
Jan 15, 2025 03:05:40.271384954 CET	445	50124	57.176.241.137	192.168.2.4
Jan 15, 2025 03:05:40.273539066 CET	50124	445	192.168.2.4	57.176.241.137
Jan 15, 2025 03:05:40.273617983 CET	50124	445	192.168.2.4	57.176.241.137
Jan 15, 2025 03:05:40.273775101 CET	50125	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.278570890 CET	445	50124	57.176.241.137	192.168.2.4
Jan 15, 2025 03:05:40.278584957 CET	445	50125	57.176.241.1	192.168.2.4
Jan 15, 2025 03:05:40.278718948 CET	50124	445	192.168.2.4	57.176.241.137
Jan 15, 2025 03:05:40.278767109 CET	50125	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.278888941 CET	50125	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.279396057 CET	50126	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.283727884 CET	445	50125	57.176.241.1	192.168.2.4
Jan 15, 2025 03:05:40.283793926 CET	50125	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.284210920 CET	445	50126	57.176.241.1	192.168.2.4
Jan 15, 2025 03:05:40.284272909 CET	50126	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.284419060 CET	50126	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:40.289194107 CET	445	50126	57.176.241.1	192.168.2.4
Jan 15, 2025 03:05:40.500399113 CET	50132	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:40.505321980 CET	445	50132	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:40.507258892 CET	50132	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:40.507309914 CET	50132	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:40.512243032 CET	445	50132	159.10.241.1	192.168.2.4
Jan 15, 2025 03:05:41.203866005 CET	50138	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.208709002 CET	445	50138	39.122.246.1	192.168.2.4
Jan 15, 2025 03:05:41.208822966 CET	50138	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.208873034 CET	50138	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.209099054 CET	50139	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.216602087 CET	445	50138	39.122.246.1	192.168.2.4
Jan 15, 2025 03:05:41.216618061 CET	445	50139	39.122.246.1	192.168.2.4
Jan 15, 2025 03:05:41.216682911 CET	50138	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.216716051 CET	50139	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.216864109 CET	50139	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.217267036 CET	50140	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.222095013 CET	445	50139	39.122.246.1	192.168.2.4
Jan 15, 2025 03:05:41.222243071 CET	445	50140	39.122.246.1	192.168.2.4
Jan 15, 2025 03:05:41.222295046 CET	50139	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.222331047 CET	50140	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.222374916 CET	50140	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:41.228189945 CET	445	50140	39.122.246.1	192.168.2.4
Jan 15, 2025 03:05:41.529002905 CET	445	50046	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:41.529081106 CET	50046	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:41.529156923 CET	50046	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:41.529156923 CET	50046	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:41.534459114 CET	445	50046	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:41.534477949 CET	445	50046	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:41.700998068 CET	445	50047	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:41.701298952 CET	50047	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:41.701299906 CET	50047	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:41.701400042 CET	50047	445	192.168.2.4	43.87.172.1
Jan 15, 2025 03:05:41.709665060 CET	445	50047	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:41.709693909 CET	445	50047	43.87.172.1	192.168.2.4
Jan 15, 2025 03:05:41.767702103 CET	50141	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.775249958 CET	445	50141	43.87.172.2	192.168.2.4
Jan 15, 2025 03:05:41.779261112 CET	50141	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.779294968 CET	50141	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.779898882 CET	50142	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.787441969 CET	445	50142	43.87.172.2	192.168.2.4
Jan 15, 2025 03:05:41.787467003 CET	445	50141	43.87.172.2	192.168.2.4
Jan 15, 2025 03:05:41.787554026 CET	50141	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.787633896 CET	50142	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.787633896 CET	50142	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:41.796937943 CET	445	50142	43.87.172.2	192.168.2.4
Jan 15, 2025 03:05:42.078814030 CET	50148	445	192.168.2.4	201.38.141.37
Jan 15, 2025 03:05:42.547455072 CET	50149	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:42.907108068 CET	50150	445	192.168.2.4	200.221.205.31
Jan 15, 2025 03:05:43.093920946 CET	50148	445	192.168.2.4	201.38.141.37
Jan 15, 2025 03:05:43.203654051 CET	50151	445	192.168.2.4	110.169.215.145
Jan 15, 2025 03:05:43.265711069 CET	445	50148	201.38.141.37	192.168.2.4
Jan 15, 2025 03:05:43.265733957 CET	445	50149	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:43.265758038 CET	445	50150	200.221.205.31	192.168.2.4
Jan 15, 2025 03:05:43.265762091 CET	445	50148	201.38.141.37	192.168.2.4
Jan 15, 2025 03:05:43.265765905 CET	445	50151	110.169.215.145	192.168.2.4
Jan 15, 2025 03:05:43.265783072 CET	50148	445	192.168.2.4	201.38.141.37
Jan 15, 2025 03:05:43.265841961 CET	50149	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:43.265861988 CET	50148	445	192.168.2.4	201.38.141.37
Jan 15, 2025 03:05:43.265866041 CET	50150	445	192.168.2.4	200.221.205.31
Jan 15, 2025 03:05:43.265930891 CET	50151	445	192.168.2.4	110.169.215.145
Jan 15, 2025 03:05:43.265930891 CET	50149	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:43.266009092 CET	50150	445	192.168.2.4	200.221.205.31
Jan 15, 2025 03:05:43.266016006 CET	50151	445	192.168.2.4	110.169.215.145
Jan 15, 2025 03:05:43.266196012 CET	50152	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.266242981 CET	50153	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.273823977 CET	445	50149	148.155.59.1	192.168.2.4
Jan 15, 2025 03:05:43.273833036 CET	445	50152	200.221.205.1	192.168.2.4
Jan 15, 2025 03:05:43.273840904 CET	445	50153	110.169.215.1	192.168.2.4
Jan 15, 2025 03:05:43.273885965 CET	50152	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.273910046 CET	50153	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.273962975 CET	50153	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.273962975 CET	50152	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.274235964 CET	50154	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.274292946 CET	50155	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.275933027 CET	445	50150	200.221.205.31	192.168.2.4
Jan 15, 2025 03:05:43.276002884 CET	50150	445	192.168.2.4	200.221.205.31
Jan 15, 2025 03:05:43.276321888 CET	445	50151	110.169.215.145	192.168.2.4
Jan 15, 2025 03:05:43.276380062 CET	50151	445	192.168.2.4	110.169.215.145
Jan 15, 2025 03:05:43.281961918 CET	445	50153	110.169.215.1	192.168.2.4
Jan 15, 2025 03:05:43.281972885 CET	445	50154	200.221.205.1	192.168.2.4
Jan 15, 2025 03:05:43.282008886 CET	50153	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.282008886 CET	445	50155	110.169.215.1	192.168.2.4
Jan 15, 2025 03:05:43.282022953 CET	445	50152	200.221.205.1	192.168.2.4
Jan 15, 2025 03:05:43.282031059 CET	50154	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.282051086 CET	50155	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.282078981 CET	50154	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.282078981 CET	50152	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:43.282126904 CET	50155	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:43.290606976 CET	445	50154	200.221.205.1	192.168.2.4
Jan 15, 2025 03:05:43.290622950 CET	445	50155	110.169.215.1	192.168.2.4
Jan 15, 2025 03:05:43.545990944 CET	445	50050	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:43.546108007 CET	50050	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:43.546164989 CET	50050	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:43.546225071 CET	50050	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:43.552048922 CET	445	50050	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:43.552066088 CET	445	50050	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:43.672817945 CET	50161	445	192.168.2.4	134.127.38.237
Jan 15, 2025 03:05:43.679018974 CET	445	50161	134.127.38.237	192.168.2.4
Jan 15, 2025 03:05:43.679124117 CET	50161	445	192.168.2.4	134.127.38.237
Jan 15, 2025 03:05:43.679205894 CET	50161	445	192.168.2.4	134.127.38.237
Jan 15, 2025 03:05:43.679508924 CET	50162	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.684577942 CET	445	50161	134.127.38.237	192.168.2.4
Jan 15, 2025 03:05:43.685576916 CET	445	50161	134.127.38.237	192.168.2.4
Jan 15, 2025 03:05:43.685610056 CET	445	50162	134.127.38.1	192.168.2.4
Jan 15, 2025 03:05:43.685645103 CET	50161	445	192.168.2.4	134.127.38.237
Jan 15, 2025 03:05:43.685694933 CET	50162	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.685815096 CET	50162	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.686237097 CET	50163	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.692133904 CET	445	50162	134.127.38.1	192.168.2.4
Jan 15, 2025 03:05:43.692167044 CET	445	50163	134.127.38.1	192.168.2.4
Jan 15, 2025 03:05:43.692277908 CET	50162	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.692295074 CET	50163	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.692361116 CET	50163	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:43.698803902 CET	445	50163	134.127.38.1	192.168.2.4
Jan 15, 2025 03:05:43.824285030 CET	445	50051	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:43.824429989 CET	50051	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:43.824500084 CET	50051	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:43.824609041 CET	50051	445	192.168.2.4	86.128.111.1
Jan 15, 2025 03:05:43.832194090 CET	445	50051	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:43.832226992 CET	445	50051	86.128.111.1	192.168.2.4
Jan 15, 2025 03:05:43.891141891 CET	50164	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.018034935 CET	445	50164	86.128.111.2	192.168.2.4
Jan 15, 2025 03:05:44.018305063 CET	50164	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.018306017 CET	50164	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.018656969 CET	50165	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.023464918 CET	445	50164	86.128.111.2	192.168.2.4
Jan 15, 2025 03:05:44.023524046 CET	445	50165	86.128.111.2	192.168.2.4
Jan 15, 2025 03:05:44.023540974 CET	50164	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.023590088 CET	50165	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.023631096 CET	50165	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:44.028558016 CET	445	50165	86.128.111.2	192.168.2.4
Jan 15, 2025 03:05:44.531575918 CET	50172	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:44.537334919 CET	445	50172	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:44.537431002 CET	50172	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:44.537461996 CET	50172	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:44.543406010 CET	445	50172	202.72.145.1	192.168.2.4
Jan 15, 2025 03:05:45.543015003 CET	445	50054	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:45.543131113 CET	50054	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:45.543216944 CET	50054	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:45.543283939 CET	50054	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:45.548134089 CET	445	50054	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:45.548163891 CET	445	50054	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:45.812943935 CET	445	50055	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:45.813015938 CET	50055	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:45.813101053 CET	50055	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:45.813124895 CET	50055	445	192.168.2.4	221.48.37.1
Jan 15, 2025 03:05:45.817956924 CET	445	50055	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:45.817991018 CET	445	50055	221.48.37.1	192.168.2.4
Jan 15, 2025 03:05:45.875469923 CET	50181	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.880314112 CET	445	50181	221.48.37.2	192.168.2.4
Jan 15, 2025 03:05:45.880402088 CET	50181	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.880444050 CET	50181	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.880827904 CET	50182	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.886372089 CET	445	50182	221.48.37.2	192.168.2.4
Jan 15, 2025 03:05:45.886382103 CET	445	50181	221.48.37.2	192.168.2.4
Jan 15, 2025 03:05:45.886440992 CET	50181	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.886476040 CET	50182	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.886533976 CET	50182	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:45.891917944 CET	445	50182	221.48.37.2	192.168.2.4
Jan 15, 2025 03:05:46.531560898 CET	49723	80	192.168.2.4	2.22.50.131
Jan 15, 2025 03:05:46.531729937 CET	49724	80	192.168.2.4	2.22.50.131
Jan 15, 2025 03:05:46.536593914 CET	80	49723	2.22.50.131	192.168.2.4
Jan 15, 2025 03:05:46.536659956 CET	49723	80	192.168.2.4	2.22.50.131
Jan 15, 2025 03:05:46.536906958 CET	80	49724	2.22.50.131	192.168.2.4
Jan 15, 2025 03:05:46.536967039 CET	49724	80	192.168.2.4	2.22.50.131
Jan 15, 2025 03:05:46.547183990 CET	50190	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:46.552043915 CET	445	50190	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:46.552119970 CET	50190	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:46.552139997 CET	50190	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:46.556922913 CET	445	50190	182.88.71.1	192.168.2.4
Jan 15, 2025 03:05:47.622880936 CET	445	50058	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:47.622953892 CET	50058	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:47.623028994 CET	50058	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:47.623029947 CET	50058	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:47.628002882 CET	445	50058	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:47.628032923 CET	445	50058	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:47.761779070 CET	445	50059	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:47.765882969 CET	50059	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:47.766067028 CET	50059	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:47.766206980 CET	50059	445	192.168.2.4	45.97.165.1
Jan 15, 2025 03:05:47.772392988 CET	445	50059	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:47.773509979 CET	445	50059	45.97.165.1	192.168.2.4
Jan 15, 2025 03:05:47.828742027 CET	50209	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.835611105 CET	445	50209	45.97.165.2	192.168.2.4
Jan 15, 2025 03:05:47.837404013 CET	50209	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.837462902 CET	50209	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.837743044 CET	50210	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.845280886 CET	445	50210	45.97.165.2	192.168.2.4
Jan 15, 2025 03:05:47.845313072 CET	445	50209	45.97.165.2	192.168.2.4
Jan 15, 2025 03:05:47.845391035 CET	50209	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.845482111 CET	50210	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.845482111 CET	50210	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:47.852413893 CET	445	50210	45.97.165.2	192.168.2.4
Jan 15, 2025 03:05:48.547329903 CET	50222	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:48.552478075 CET	445	50222	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:48.555289030 CET	50222	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:48.559220076 CET	50222	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:48.564058065 CET	445	50222	8.6.76.1	192.168.2.4
Jan 15, 2025 03:05:49.497889042 CET	445	50062	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:49.498030901 CET	50062	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:49.498188019 CET	50062	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:49.498244047 CET	50062	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:49.503014088 CET	445	50062	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:49.503026962 CET	445	50062	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:49.810578108 CET	445	50063	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:49.810693026 CET	50063	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:49.810722113 CET	50063	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:49.810766935 CET	50063	445	192.168.2.4	155.195.218.1
Jan 15, 2025 03:05:49.815526962 CET	445	50063	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:49.815541983 CET	445	50063	155.195.218.1	192.168.2.4
Jan 15, 2025 03:05:49.875587940 CET	50242	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.881980896 CET	445	50242	155.195.218.2	192.168.2.4
Jan 15, 2025 03:05:49.883285046 CET	50242	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.883341074 CET	50242	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.883716106 CET	50243	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.888339996 CET	445	50242	155.195.218.2	192.168.2.4
Jan 15, 2025 03:05:49.888648033 CET	445	50243	155.195.218.2	192.168.2.4
Jan 15, 2025 03:05:49.888730049 CET	50242	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.888912916 CET	50243	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.888914108 CET	50243	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:49.893809080 CET	445	50243	155.195.218.2	192.168.2.4
Jan 15, 2025 03:05:50.625642061 CET	50258	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:50.631865025 CET	445	50258	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:50.631959915 CET	50258	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:50.631998062 CET	50258	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:50.636734962 CET	445	50258	202.14.161.1	192.168.2.4
Jan 15, 2025 03:05:51.199385881 CET	445	50066	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:51.199671030 CET	50066	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:51.207972050 CET	50066	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:51.208013058 CET	50066	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:51.212819099 CET	445	50066	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:51.212830067 CET	445	50066	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:51.844136000 CET	445	50067	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:51.844203949 CET	50067	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:51.844230890 CET	50067	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:51.844259024 CET	50067	445	192.168.2.4	35.65.202.1
Jan 15, 2025 03:05:51.849020958 CET	445	50067	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:51.849033117 CET	445	50067	35.65.202.1	192.168.2.4
Jan 15, 2025 03:05:51.906848907 CET	50292	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.911768913 CET	445	50292	35.65.202.2	192.168.2.4
Jan 15, 2025 03:05:51.911865950 CET	50292	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.911955118 CET	50292	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.912280083 CET	50293	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.916901112 CET	445	50292	35.65.202.2	192.168.2.4
Jan 15, 2025 03:05:51.917032003 CET	50292	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.917121887 CET	445	50293	35.65.202.2	192.168.2.4
Jan 15, 2025 03:05:51.917186975 CET	50293	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.917201042 CET	50293	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:51.922041893 CET	445	50293	35.65.202.2	192.168.2.4
Jan 15, 2025 03:05:52.500466108 CET	50312	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:52.507268906 CET	445	50312	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:52.507428885 CET	50312	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:52.507428885 CET	50312	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:52.512326956 CET	445	50312	48.68.228.1	192.168.2.4
Jan 15, 2025 03:05:52.840169907 CET	445	50070	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:52.840601921 CET	50070	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:52.840601921 CET	50070	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:52.840601921 CET	50070	445	192.168.2.4	191.37.254.1
Jan 15, 2025 03:05:52.845537901 CET	445	50070	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:52.845566988 CET	445	50070	191.37.254.1	192.168.2.4
Jan 15, 2025 03:05:53.859946966 CET	445	50071	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:53.860039949 CET	50071	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:53.863574028 CET	50071	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:53.863629103 CET	50071	445	192.168.2.4	199.24.168.1
Jan 15, 2025 03:05:53.868495941 CET	445	50071	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:53.868527889 CET	445	50071	199.24.168.1	192.168.2.4
Jan 15, 2025 03:05:53.937927961 CET	50365	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.943039894 CET	445	50365	199.24.168.2	192.168.2.4
Jan 15, 2025 03:05:53.943181992 CET	50365	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.946069956 CET	50365	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.950169086 CET	50367	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.950932026 CET	445	50365	199.24.168.2	192.168.2.4
Jan 15, 2025 03:05:53.951004982 CET	50365	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.955041885 CET	445	50367	199.24.168.2	192.168.2.4
Jan 15, 2025 03:05:53.955143929 CET	50367	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.955143929 CET	50367	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:05:53.959981918 CET	445	50367	199.24.168.2	192.168.2.4
Jan 15, 2025 03:05:54.219223976 CET	50379	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:54.224381924 CET	445	50379	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:54.224494934 CET	50379	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:54.224494934 CET	50379	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:54.229398966 CET	445	50379	2.126.104.1	192.168.2.4
Jan 15, 2025 03:05:54.371867895 CET	445	50074	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:54.371939898 CET	50074	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:54.371985912 CET	50074	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:54.372023106 CET	50074	445	192.168.2.4	77.27.163.1
Jan 15, 2025 03:05:54.377670050 CET	445	50074	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:54.377700090 CET	445	50074	77.27.163.1	192.168.2.4
Jan 15, 2025 03:05:55.824487925 CET	445	50077	38.133.158.1	192.168.2.4
Jan 15, 2025 03:05:55.824603081 CET	50077	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:55.887278080 CET	445	50078	78.189.127.1	192.168.2.4
Jan 15, 2025 03:05:55.887360096 CET	50078	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:57.183801889 CET	445	50082	163.159.85.1	192.168.2.4
Jan 15, 2025 03:05:57.183960915 CET	50082	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:57.263021946 CET	50142	445	192.168.2.4	43.87.172.2
Jan 15, 2025 03:05:57.263048887 CET	50165	445	192.168.2.4	86.128.111.2
Jan 15, 2025 03:05:57.263062000 CET	50077	445	192.168.2.4	38.133.158.1
Jan 15, 2025 03:05:57.263065100 CET	50078	445	192.168.2.4	78.189.127.1
Jan 15, 2025 03:05:57.263103962 CET	50126	445	192.168.2.4	57.176.241.1
Jan 15, 2025 03:05:57.263122082 CET	50182	445	192.168.2.4	221.48.37.2
Jan 15, 2025 03:05:57.263231993 CET	50088	445	192.168.2.4	12.102.136.1
Jan 15, 2025 03:05:57.263267040 CET	50243	445	192.168.2.4	155.195.218.2
Jan 15, 2025 03:05:57.263309002 CET	50132	445	192.168.2.4	159.10.241.1
Jan 15, 2025 03:05:57.263410091 CET	50099	445	192.168.2.4	183.50.126.2
Jan 15, 2025 03:05:57.263423920 CET	50082	445	192.168.2.4	163.159.85.1
Jan 15, 2025 03:05:57.263453007 CET	50091	445	192.168.2.4	180.199.173.1
Jan 15, 2025 03:05:57.263467073 CET	50107	445	192.168.2.4	151.171.58.1
Jan 15, 2025 03:05:57.263542891 CET	50108	445	192.168.2.4	122.116.214.1
Jan 15, 2025 03:05:57.263550043 CET	50116	445	192.168.2.4	151.131.117.1
Jan 15, 2025 03:05:57.263562918 CET	50123	445	192.168.2.4	207.109.181.2
Jan 15, 2025 03:05:57.263582945 CET	50140	445	192.168.2.4	39.122.246.1
Jan 15, 2025 03:05:57.263592958 CET	50149	445	192.168.2.4	148.155.59.1
Jan 15, 2025 03:05:57.263623953 CET	50154	445	192.168.2.4	200.221.205.1
Jan 15, 2025 03:05:57.263669968 CET	50155	445	192.168.2.4	110.169.215.1
Jan 15, 2025 03:05:57.263683081 CET	50163	445	192.168.2.4	134.127.38.1
Jan 15, 2025 03:05:57.263683081 CET	50190	445	192.168.2.4	182.88.71.1
Jan 15, 2025 03:05:57.263731003 CET	50258	445	192.168.2.4	202.14.161.1
Jan 15, 2025 03:05:57.263747931 CET	50210	445	192.168.2.4	45.97.165.2
Jan 15, 2025 03:05:57.263752937 CET	50172	445	192.168.2.4	202.72.145.1
Jan 15, 2025 03:05:57.263761997 CET	50222	445	192.168.2.4	8.6.76.1
Jan 15, 2025 03:05:57.263797998 CET	50312	445	192.168.2.4	48.68.228.1
Jan 15, 2025 03:05:57.263809919 CET	50293	445	192.168.2.4	35.65.202.2
Jan 15, 2025 03:05:57.263961077 CET	50379	445	192.168.2.4	2.126.104.1
Jan 15, 2025 03:05:57.263961077 CET	50367	445	192.168.2.4	199.24.168.2
Jan 15, 2025 03:06:03.025840998 CET	80	49731	2.23.77.188	192.168.2.4
Jan 15, 2025 03:06:03.025996923 CET	49731	80	192.168.2.4	2.23.77.188

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 03:04:47.643512964 CET	55668	53	192.168.2.4	1.1.1.1
Jan 15, 2025 03:04:47.953341961 CET	53	55668	1.1.1.1	192.168.2.4
Jan 15, 2025 03:04:48.590125084 CET	64354	53	192.168.2.4	1.1.1.1
Jan 15, 2025 03:04:48.771353006 CET	53	64354	1.1.1.1	192.168.2.4
Jan 15, 2025 03:04:58.075829983 CET	138	138	192.168.2.4	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 03:04:47.643512964 CET	192.168.2.4	1.1.1.1	0x3fa9	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 03:04:48.590125084 CET	192.168.2.4	1.1.1.1	0xb1e2	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 03:04:47.953341961 CET	1.1.1.1	192.168.2.4	0x3fa9	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 03:04:48.771353006 CET	1.1.1.1	192.168.2.4	0xb1e2	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 03:04:48.771353006 CET	1.1.1.1	192.168.2.4	0xb1e2	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	103.224.212.215	80	7512	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 03:04:47.974740982 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 03:04:48.582285881 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 02:04:48 GMT server: Apache set-cookie: __tad=1736906688.6242741; expires=Sat, 13-Jan-2035 02:04:48 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-48cb-ab27-b1d7f25d9429 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	199.59.243.228	80	7512	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 03:04:48.777930021 CET	169	OUT	GET /?subid1=20250115-1304-48cb-ab27-b1d7f25d9429 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 03:04:49.271224022 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 02:04:48 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 84ae1b42-84fc-4740-a603-6b20200136a7 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jDDhJ9xj736ksG+xyDQVtqAPCCooYgDXxhrEa+66zB/htnvJ2TLFLl1JZ3VddWQa3GhejUg3taluTE1g23URfw== set-cookie: parking_session=84ae1b42-84fc-4740-a603-6b20200136a7; expires=Wed, 15 Jan 2025 02:19:49 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 44 44 68 4a 39 78 6a 37 33 36 6b 73 47 2b 78 79 44 51 56 74 71 41 50 43 43 6f 6f 59 67 44 58 78 68 72 45 61 2b 36 36 7a 42 2f 68 74 6e 76 4a 32 54 4c 46 4c 6c 31 4a 5a 33 56 64 64 57 51 61 33 47 68 65 6a 55 67 33 74 61 6c 75 54 45 31 67 32 33 55 52 66 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jDDhJ9xj736ksG+xyDQVtqAPCCooYgDXxhrEa+66zB/htnvJ2TLFLl1JZ3VddWQa3GhejUg3taluTE1g23URfw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 03:04:49.271244049 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODRhZTFiNDItODRmYy00NzQwLWE2MDMtNmIyMDIwMDEzNmE3IiwicGFnZV90aW1lIjoxNzM2OTA2Njg5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	103.224.212.215	80	7584	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 03:04:49.856250048 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 03:04:50.516004086 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 02:04:50 GMT server: Apache set-cookie: __tad=1736906690.5743032; expires=Sat, 13-Jan-2035 02:04:50 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5082-90f7-a7068eb2f250 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	103.224.212.215	80	7656	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 03:04:50.524604082 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736906688.6242741
Jan 15, 2025 03:04:51.859651089 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 02:04:51 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7f7 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:
Jan 15, 2025 03:04:51.860321045 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 02:04:51 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7f7 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:
Jan 15, 2025 03:04:51.860506058 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 02:04:51 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1304-5151-bf6a-63383d41d7f7 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	199.59.243.228	80	7584	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 03:04:50.528528929 CET	169	OUT	GET /?subid1=20250115-1304-5082-90f7-a7068eb2f250 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 03:04:51.859368086 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 02:04:50 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 66aeb117-dc9f-422c-a833-853709825047 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a1pAULAU8TMul3uo31nsJ/ZYRyBZJjEgqC+mco4sYfxTJEXILo8/xYmaqrYzPVFFubf39/VfN/8Q2bp3K4rknA== set-cookie: parking_session=66aeb117-dc9f-422c-a833-853709825047; expires=Wed, 15 Jan 2025 02:19:50 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 31 70 41 55 4c 41 55 38 54 4d 75 6c 33 75 6f 33 31 6e 73 4a 2f 5a 59 52 79 42 5a 4a 6a 45 67 71 43 2b 6d 63 6f 34 73 59 66 78 54 4a 45 58 49 4c 6f 38 2f 78 59 6d 61 71 72 59 7a 50 56 46 46 75 62 66 33 39 2f 56 66 4e 2f 38 51 32 62 70 33 4b 34 72 6b 6e 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a1pAULAU8TMul3uo31nsJ/ZYRyBZJjEgqC+mco4sYfxTJEXILo8/xYmaqrYzPVFFubf39/VfN/8Q2bp3K4rknA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 03:04:51.859385014 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjZhZWIxMTctZGM5Zi00MjJjLWE4MzMtODUzNzA5ODI1MDQ3IiwicGFnZV90aW1lIjoxNzM2OTA2NjkwLCJwYWdlX3VybCI6I
Jan 15, 2025 03:04:51.859461069 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjZhZWIxMTctZGM5Zi00MjJjLWE4MzMtODUzNzA5ODI1MDQ3IiwicGFnZV90aW1lIjoxNzM2OTA2NjkwLCJwYWdlX3VybCI6I
Jan 15, 2025 03:04:51.860030890 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 02:04:50 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 66aeb117-dc9f-422c-a833-853709825047 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a1pAULAU8TMul3uo31nsJ/ZYRyBZJjEgqC+mco4sYfxTJEXILo8/xYmaqrYzPVFFubf39/VfN/8Q2bp3K4rknA== set-cookie: parking_session=66aeb117-dc9f-422c-a833-853709825047; expires=Wed, 15 Jan 2025 02:19:50 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 31 70 41 55 4c 41 55 38 54 4d 75 6c 33 75 6f 33 31 6e 73 4a 2f 5a 59 52 79 42 5a 4a 6a 45 67 71 43 2b 6d 63 6f 34 73 59 66 78 54 4a 45 58 49 4c 6f 38 2f 78 59 6d 61 71 72 59 7a 50 56 46 46 75 62 66 33 39 2f 56 66 4e 2f 38 51 32 62 70 33 4b 34 72 6b 6e 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a1pAULAU8TMul3uo31nsJ/ZYRyBZJjEgqC+mco4sYfxTJEXILo8/xYmaqrYzPVFFubf39/VfN/8Q2bp3K4rknA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 03:04:51.860460997 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 02:04:50 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 66aeb117-dc9f-422c-a833-853709825047 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a1pAULAU8TMul3uo31nsJ/ZYRyBZJjEgqC+mco4sYfxTJEXILo8/xYmaqrYzPVFFubf39/VfN/8Q2bp3K4rknA== set-cookie: parking_session=66aeb117-dc9f-422c-a833-853709825047; expires=Wed, 15 Jan 2025 02:19:50 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 31 70 41 55 4c 41 55 38 54 4d 75 6c 33 75 6f 33 31 6e 73 4a 2f 5a 59 52 79 42 5a 4a 6a 45 67 71 43 2b 6d 63 6f 34 73 59 66 78 54 4a 45 58 49 4c 6f 38 2f 78 59 6d 61 71 72 59 7a 50 56 46 46 75 62 66 33 39 2f 56 66 4e 2f 38 51 32 62 70 33 4b 34 72 6b 6e 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a1pAULAU8TMul3uo31nsJ/ZYRyBZJjEgqC+mco4sYfxTJEXILo8/xYmaqrYzPVFFubf39/VfN/8Q2bp3K4rknA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49737	199.59.243.228	80	7656	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 03:04:51.896326065 CET	231	OUT	GET /?subid1=20250115-1304-5151-bf6a-63383d41d7f7 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=84ae1b42-84fc-4740-a603-6b20200136a7
Jan 15, 2025 03:04:52.354362965 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 02:04:52 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 6975b4e1-d156-4dfc-ac69-181d4568504c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TZ1mCN8WjKlq4GwTN3/82ZSzkd4B18qNaJbQjcu7327cwH1UYYbNi+LqslbC2hwpAsSUF3kINwrTHOreDEQ7Rw== set-cookie: parking_session=84ae1b42-84fc-4740-a603-6b20200136a7; expires=Wed, 15 Jan 2025 02:19:52 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 54 5a 31 6d 43 4e 38 57 6a 4b 6c 71 34 47 77 54 4e 33 2f 38 32 5a 53 7a 6b 64 34 42 31 38 71 4e 61 4a 62 51 6a 63 75 37 33 32 37 63 77 48 31 55 59 59 62 4e 69 2b 4c 71 73 6c 62 43 32 68 77 70 41 73 53 55 46 33 6b 49 4e 77 72 54 48 4f 72 65 44 45 51 37 52 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TZ1mCN8WjKlq4GwTN3/82ZSzkd4B18qNaJbQjcu7327cwH1UYYbNi+LqslbC2hwpAsSUF3kINwrTHOreDEQ7Rw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 03:04:52.354386091 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODRhZTFiNDItODRmYy00NzQwLWE2MDMtNmIyMDIwMDEzNmE3IiwicGFnZV90aW1lIjoxNzM2OTA2NjkyLCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	21:04:46
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll"
Imagebase:	0xd00000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:04:46
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:04:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:04:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V01vdyUACe.dll,PlayGame
Imagebase:	0xed0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:04:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",#1
Imagebase:	0xed0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:04:46
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	9679BDFFCFC1DA1D852E8F218B335E78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1779970986.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.1780101745.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:04:48
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	9679BDFFCFC1DA1D852E8F218B335E78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1802755433.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1801878238.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2463708479.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2463448129.0000000001FBE000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:04:49
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\V01vdyUACe.dll",PlayGame
Imagebase:	0xed0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:04:49
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	9679BDFFCFC1DA1D852E8F218B335E78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1831457534.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1809549232.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.1831588866.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1809283291.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000005.00000002.1824984279.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1824970702.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1824998477.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825085527.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.1824984279.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1824970702.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1824998477.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825085527.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.1824984279.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1824970702.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1824998477.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825085527.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000005.00000002.1824984279.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1824970702.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1824998477.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825085527.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.1824984279.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1824970702.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1824998477.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825012176.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825085527.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1825170280.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 7584, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2461272833.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2461249117.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461343343.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461761725.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461818199.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2461272833.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2461249117.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461343343.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461761725.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461818199.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.2461272833.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2461249117.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461343343.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461761725.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461818199.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F
CloseHandle, xrefs: 00407D29
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D

Memory Dump Source

Source File: 00000006.00000002.2461272833.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2461249117.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461343343.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461761725.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461818199.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2461272833.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2461249117.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461343343.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461425461.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461661387.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461761725.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461818199.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2461970204.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report V01vdyUACe.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
V01vdyUACe.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON