Edit tour

Windows Analysis Report
mLm1d1GV4R.dll

Overview

General Information

Sample name:	mLm1d1GV4R.dll renamed because original name is a hash value
Original sample name:	775930a062cfe16caf9a56513d142262.dll
Analysis ID:	1591899
MD5:	775930a062cfe16caf9a56513d142262
SHA1:	ebc7f59387f5b121795b3c3bc37bc77c566baf7b
SHA256:	c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3236 cmdline: loaddll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1732 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4308 cmdline: rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1440 cmdline: rundll32.exe C:\Users\user\Desktop\mLm1d1GV4R.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 3164 cmdline: C:\WINDOWS\mssecsvr.exe MD5: E916117384C8250971067D18F2734F8B)

rundll32.exe (PID: 6744 cmdline: rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6264 cmdline: C:\WINDOWS\mssecsvr.exe MD5: E916117384C8250971067D18F2734F8B)

mssecsvr.exe (PID: 2104 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: E916117384C8250971067D18F2734F8B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mLm1d1GV4R.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
mLm1d1GV4R.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
mLm1d1GV4R.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvr.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvr.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
C:\Windows\mssecsvr.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvr.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1727467369.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1769263752.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1756428845.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1747881309.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 3164	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 2104	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 6264	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.mssecsvr.exe.1d45084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.225f8c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.229196c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.229196c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d77128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.1d77128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.229196c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.229196c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.229196c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d45084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d45084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1d45084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d77128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d77128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.1d77128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.225f8c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.225f8c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.225f8c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d54104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.1d54104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1d54104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d54104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.226e948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.226e948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.226e948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.226e948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.226e948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.226e948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.226e948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d54104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d54104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5029d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50a83a:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5083a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1d54104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.226a8e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.226a8e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.226a8e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d500a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d500a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1d500a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T15:40:06.783765+0100	2803304	3	Unknown Traffic	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-15T15:40:08.564369+0100	2803304	3	Unknown Traffic	192.168.2.4	49732	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T15:40:05.834939+0100	2830018	1	A Network Trojan was detected	192.168.2.4	59645	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mLm1d1GV4R.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e6207580	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e62075	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c3	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c336	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c315	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c3156a	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\mssecsvr.exe	Avira: detection malicious, Label: TR/WannaCrypt.yteen
Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/WannaCrypt.yteen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 72%
Source: C:\Windows\mssecsvr.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Source: mLm1d1GV4R.dll	Virustotal: Detection: 88%			Perma Link
Source: mLm1d1GV4R.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Windows\mssecsvr.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: mLm1d1GV4R.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: mLm1d1GV4R.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.4:59645 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0140-0612-9098-d266b9c3156a HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0140-08a2-bd71-14f1e6207580 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736952006.1100515
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0140-0955-b54b-361d8820c336 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=04768f6c-8dd5-4f0d-884c-dbdf53d063e1

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.64
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.64
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.64
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.64
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.211.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.200
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.200
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.200
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.200
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.84
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.84
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.84
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.84
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.95.77.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.119.231.1
Source: unknown	TCP traffic detected without corresponding DNS query: 34.70.129.79
Source: unknown	TCP traffic detected without corresponding DNS query: 34.70.129.79
Source: unknown	TCP traffic detected without corresponding DNS query: 34.70.129.79
Source: unknown	TCP traffic detected without corresponding DNS query: 34.70.129.1
Source: unknown	TCP traffic detected without corresponding DNS query: 34.70.129.79

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0140-0612-9098-d266b9c3156a HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0140-08a2-bd71-14f1e6207580 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736952006.1100515
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0140-0955-b54b-361d8820c336 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=04768f6c-8dd5-4f0d-884c-dbdf53d063e1

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000008.00000003.1768434396.0000000000B11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.1762689209.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c315
Source: mssecsvr.exe, 00000006.00000002.2396715563.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1756314790.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2396715563.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e62075
Source: mssecsvr.exe, 00000008.00000002.1770056859.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1770056859.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c3
Source: mssecsvr.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000008.00000002.1770056859.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.2396715563.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)
Source: mssecsvr.exe, 00000006.00000002.2396715563.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/:
Source: mssecsvr.exe, 00000005.00000002.1762689209.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/C;
Source: mssecsvr.exe, 00000008.00000002.1770056859.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/eX
Source: mssecsvr.exe, 00000005.00000002.1762689209.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/i;
Source: mssecsvr.exe, 00000008.00000002.1770056859.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/~
Source: mssecsvr.exe, 00000006.00000002.2396198170.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000008.00000002.1770056859.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comll

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: mLm1d1GV4R.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvr.exe.229196c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d45084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.225f8c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.226e948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.226a8e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d500a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1727467369.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1769263752.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1756428845.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1747881309.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 2104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6264, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\mssecsvr.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: mLm1d1GV4R.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: mLm1d1GV4R.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d45084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.225f8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.229196c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.229196c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.229196c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.229196c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d45084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d45084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.225f8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.225f8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.226e948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.226e948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.226a8e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.226a8e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d500a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d500a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: mssecsvr.exe.4.dr

Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: mLm1d1GV4R.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: mLm1d1GV4R.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: mLm1d1GV4R.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d45084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.225f8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.229196c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.229196c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d77128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.229196c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.229196c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d45084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d45084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d77128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.225f8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.225f8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d54104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.226e948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.226e948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.226e948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d54104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.226a8e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.226a8e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1d500a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1d500a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.5.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: mLm1d1GV4R.dll, mssecsvr.exe.4.dr, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/3@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03

Source: mLm1d1GV4R.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mLm1d1GV4R.dll,PlayGame

Source: mLm1d1GV4R.dll	Virustotal: Detection: 88%
Source: mLm1d1GV4R.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mLm1d1GV4R.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mLm1d1GV4R.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: mLm1d1GV4R.dll

Static file information: File size 5267459 > 1048576

Source: mLm1d1GV4R.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.5.dr

Static PE information: section name: .text entropy: 7.64063717569669

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvr.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvr.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 1508	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1508	Thread sleep time: -182000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2756	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2756	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1508	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000008.00000002.1770056859.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&>
Source: mssecsvr.exe, 00000005.00000002.1762689209.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1762689209.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2396715563.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2396715563.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1770056859.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1770056859.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000006.00000002.2396715563.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mLm1d1GV4R.dll	89%	Virustotal		Browse
mLm1d1GV4R.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
mLm1d1GV4R.dll	100%	Avira	TR/AD.DPulsarShellcode.gohtr
mLm1d1GV4R.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvr.exe	100%	Avira	TR/WannaCrypt.yteen
C:\Windows\tasksche.exe	100%	Avira	TR/WannaCrypt.yteen
C:\Windows\mssecsvr.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	72%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvr.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	72%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comll	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e6207580	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e62075	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c3	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c336	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c315	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c3156a	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e6207580	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c336	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c3156a	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comll	mssecsvr.exe, 00000008.00000002.1770056859.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e62075	mssecsvr.exe, 00000006.00000002.2396715563.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1756314790.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2396715563.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)	mssecsvr.exe, 00000006.00000002.2396715563.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000008.00000003.1768434396.0000000000B11000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mssecsvr.exe.4.dr	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c315	mssecsvr.exe, 00000005.00000002.1762689209.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/~	mssecsvr.exe, 00000008.00000002.1770056859.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c3	mssecsvr.exe, 00000008.00000002.1770056859.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1770056859.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/:	mssecsvr.exe, 00000006.00000002.2396715563.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000006.00000002.2396198170.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/C;	mssecsvr.exe, 00000005.00000002.1762689209.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/eX	mssecsvr.exe, 00000008.00000002.1770056859.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/i;	mssecsvr.exe, 00000005.00000002.1762689209.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
205.104.64.1	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
76.16.231.1	unknown	United States	7922	COMCAST-7922US	false
13.201.100.1	unknown	United States	7018	ATT-INTERNET4US	false
76.71.199.22	unknown	Canada	577	BACOMCA	false
165.109.216.2	unknown	United States	7926	FICOUS	false
165.109.216.1	unknown	United States	7926	FICOUS	false
221.134.212.1	unknown	India	9583	SIFY-AS-INSifyLimitedIN	false
9.190.114.1	unknown	United States	3356	LEVEL3US	false
163.46.23.25	unknown	Japan	18126	CTCXChubuTelecommunicationsCompanyIncJP	false
221.134.212.57	unknown	India	9583	SIFY-AS-INSifyLimitedIN	false
7.211.44.86	unknown	United States	3356	LEVEL3US	false
56.131.124.1	unknown	United States	2686	ATGS-MMD-ASUS	false
85.207.211.64	unknown	Czech Republic	25248	BLUETONE-ASTheCzechRepublicCZ	false
20.119.231.200	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
148.245.140.156	unknown	Mexico	6503	AxtelSABdeCVMX	false
135.243.33.1	unknown	United States	10455	LUCENT-CIOUS	false
219.171.12.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
158.253.134.29	unknown	United States	29695	ALTIBOX_ASNorwayNO	false
76.16.231.119	unknown	United States	7922	COMCAST-7922US	false
163.46.23.1	unknown	Japan	18126	CTCXChubuTelecommunicationsCompanyIncJP	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591899
Start date and time:	2025-01-15 15:39:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mLm1d1GV4R.dll renamed because original name is a hash value
Original Sample Name:	775930a062cfe16caf9a56513d142262.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/3@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 2.23.77.188, 52.149.20.212, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:40:07	API Interceptor	1x Sleep call for process: loaddll32.exe modified
09:40:42	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DNIC-ASBLK-00721-00726US	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	214.224.11.1
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	131.21.241.12
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	215.188.3.1
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	206.38.36.1
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	215.136.68.134
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	214.131.32.23
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	199.57.200.151
	ppc.elf	Get hash	malicious	Unknown	Browse	140.156.89.68
	i686.elf	Get hash	malicious	Unknown	Browse	131.16.58.46
	x86.elf	Get hash	malicious	Unknown	Browse	131.81.81.120
COMCAST-7922US	alN48K3xcD.dll	Get hash	malicious	Wannacry	Browse	73.32.183.92
	bC61G18iPf.dll	Get hash	malicious	Wannacry	Browse	96.157.153.1
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	96.202.31.29
	ue5QSYCBPt.dll	Get hash	malicious	Wannacry	Browse	28.93.62.1
	S8LDvVdtOk.dll	Get hash	malicious	Wannacry	Browse	26.242.207.126
	xjljKPlxqO.dll	Get hash	malicious	Wannacry	Browse	74.144.36.140
	FAuEwllF3K.dll	Get hash	malicious	Wannacry	Browse	25.91.69.1
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	30.129.64.110
	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	26.51.77.154
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	30.7.203.119
BACOMCA	meth3.elf	Get hash	malicious	Mirai	Browse	142.182.124.250
	arm4.elf	Get hash	malicious	Unknown	Browse	142.180.131.85
	m68k.elf	Get hash	malicious	Unknown	Browse	64.231.99.226
	meth4.elf	Get hash	malicious	Mirai	Browse	67.71.100.52
	meth5.elf	Get hash	malicious	Mirai	Browse	216.208.53.25
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	64.187.35.217
	5.elf	Get hash	malicious	Unknown	Browse	76.65.11.37
	res.sh4.elf	Get hash	malicious	Unknown	Browse	142.183.202.187
	res.arm5.elf	Get hash	malicious	Unknown	Browse	192.139.223.247
	3.elf	Get hash	malicious	Unknown	Browse	184.147.21.85
ATT-INTERNET4US	alN48K3xcD.dll	Get hash	malicious	Wannacry	Browse	13.34.249.4
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	107.111.117.177
	https://adelademable.org/abujguyaleon.html	Get hash	malicious	Unknown	Browse	13.32.27.129
	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	72.151.164.132
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	107.227.162.245
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	206.13.39.203
	http://industrious-tomato-ngvkcs.mystrikingly.com/	Get hash	malicious	Unknown	Browse	13.32.27.18
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	12.2.240.16
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	75.17.203.1
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	76.252.20.1

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.938069166957886
Encrypted:	false
SSDEEP:	49152:9MSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHEL:9PoBhz1aRxcSUDk36SAEdhkL
MD5:	9A426F15B0AC1E4BA38B8A2EBD569139
SHA1:	487F106D81CEC6A6109A3DDD184CEC0966ADD074
SHA-256:	81F90C2A40D84BFF483418F7DDA1470D34C0C21D794133CE0A09BCD9745F95E5
SHA-512:	251294029C9832E3C51F294C8E6AA0ED8BCC81D4B2CDDCF0E917BECAFD86C162FA6A2C437F9189F06DEA3CE39B0B41D42685D49E59B8C7DE74829DA9575D6A24
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 72%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvr.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2281472
Entropy (8bit):	7.844975658811434
Encrypted:	false
SSDEEP:	49152:QnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHEm:QnPoBhz1aRxcSUDk36SAEdhkm
MD5:	E916117384C8250971067D18F2734F8B
SHA1:	49515862AD32A93804F787671A4EFF3D0EBF6FC8
SHA-256:	09E05A106716C7A1994BC60185129C57A865F378468DFD223E424B51DE1FCBE9
SHA-512:	B6E887F017086F2A578A2E82D37749632AA6E11C1C95650D818B3D381AA53BE24ECEAB0358B8E64760DF2EC17BFA3647DB64B1BF50E7B69DA14641C3D3BD8CA3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L......................"...................@...........................P......................................................1..z...........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.........1...... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.938069166957886
Encrypted:	false
SSDEEP:	49152:9MSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHEL:9PoBhz1aRxcSUDk36SAEdhkL
MD5:	9A426F15B0AC1E4BA38B8A2EBD569139
SHA1:	487F106D81CEC6A6109A3DDD184CEC0966ADD074
SHA-256:	81F90C2A40D84BFF483418F7DDA1470D34C0C21D794133CE0A09BCD9745F95E5
SHA-512:	251294029C9832E3C51F294C8E6AA0ED8BCC81D4B2CDDCF0E917BECAFD86C162FA6A2C437F9189F06DEA3CE39B0B41D42685D49E59B8C7DE74829DA9575D6A24
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 72%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.2410771620513845
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mLm1d1GV4R.dll
File size:	5'267'459 bytes
MD5:	775930a062cfe16caf9a56513d142262
SHA1:	ebc7f59387f5b121795b3c3bc37bc77c566baf7b
SHA256:	c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
SHA512:	7b5a61545b21ea5f477d86df7af8d53951011f3b062db09a5defb053716bb2bb619c53b5111ddcadba5047029fb41da2cdf3d95ab49466ed33428f372fe98f48
SSDEEP:	49152:RnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHE:1nPoBhz1aRxcSUDk36SAEdhk
TLSH:	A8361266AA18C6B6C11A1731C4F74FF2B6B27CA8D3E616075FA07D2A3D337516E60B01
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FBA3881FE6Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FBA3881FE88h
cmp esi, 01h
je 00007FBA3881FE67h
cmp esi, 02h
jne 00007FBA3881FE84h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FBA3881FE6Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FBA3881FE6Eh
push edi
push esi
push ebx
call 00007FBA3881FD7Ah
test eax, eax
jne 00007FBA3881FE66h
xor eax, eax
jmp 00007FBA3881FEB0h
push edi
push esi
push ebx
call 00007FBA3881FC2Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FBA3881FE6Eh
test eax, eax
jne 00007FBA3881FE99h
push edi
push eax
push ebx
call 00007FBA3881FD56h
test esi, esi
je 00007FBA3881FE67h
cmp esi, 03h
jne 00007FBA3881FE88h
push edi
push esi
push ebx
call 00007FBA3881FD45h
test eax, eax
jne 00007FBA3881FE65h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FBA3881FE73h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FBA3881FE6Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	b3d3bb320def8607321bb1b7991d8345	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8791799545288086

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T15:40:05.834939+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.4	59645	1.1.1.1	53	UDP
2025-01-15T15:40:06.783765+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-15T15:40:08.564369+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49732	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 15:40:06.161731958 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:06.166552067 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:06.166743040 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:06.166840076 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:06.171587944 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:06.559041023 CET	49675	443	192.168.2.4	173.222.162.32
Jan 15, 2025 15:40:06.783262968 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:06.783616066 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:06.783765078 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:06.789230108 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:06.793960094 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:07.119537115 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.124444008 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:07.124556065 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.126353979 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.131175995 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:07.600953102 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:07.600977898 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:07.601058006 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.698283911 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.699450016 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.703222990 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:07.703308105 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:07.956790924 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:07.961592913 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:07.961695910 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:07.962021112 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:07.966763020 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:08.564173937 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:08.564237118 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:08.564368963 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:08.564368963 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:08.579128027 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:08.582530975 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:08.583906889 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:08.587380886 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:08.587447882 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:08.587573051 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:08.592437983 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:08.695084095 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:08.699934959 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:08.700046062 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:08.700165987 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:08.704909086 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:09.060187101 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:09.060208082 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:09.060246944 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.060266018 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.068785906 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.068806887 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.122154951 CET	49735	445	192.168.2.4	85.207.211.64
Jan 15, 2025 15:40:09.127006054 CET	445	49735	85.207.211.64	192.168.2.4
Jan 15, 2025 15:40:09.127085924 CET	49735	445	192.168.2.4	85.207.211.64
Jan 15, 2025 15:40:09.127119064 CET	49735	445	192.168.2.4	85.207.211.64
Jan 15, 2025 15:40:09.127289057 CET	49736	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.131993055 CET	445	49735	85.207.211.64	192.168.2.4
Jan 15, 2025 15:40:09.132047892 CET	49735	445	192.168.2.4	85.207.211.64
Jan 15, 2025 15:40:09.132059097 CET	445	49736	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:09.132122040 CET	49736	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.132694960 CET	49736	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.137861967 CET	445	49736	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:09.137926102 CET	49736	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.143595934 CET	49737	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.148403883 CET	445	49737	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:09.148467064 CET	49737	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.148528099 CET	49737	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:09.153311014 CET	445	49737	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:09.316423893 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:09.316490889 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:09.316490889 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:09.316529989 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:09.318639040 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 15:40:09.320467949 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.323401928 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 15:40:09.325318098 CET	80	49742	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:09.325388908 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.325578928 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.330316067 CET	80	49742	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:09.790345907 CET	80	49742	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:09.790370941 CET	80	49742	199.59.243.228	192.168.2.4
Jan 15, 2025 15:40:09.790421009 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.790487051 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.800971031 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:09.800993919 CET	49742	80	192.168.2.4	199.59.243.228
Jan 15, 2025 15:40:11.122744083 CET	49761	445	192.168.2.4	75.40.242.200
Jan 15, 2025 15:40:11.127665043 CET	445	49761	75.40.242.200	192.168.2.4
Jan 15, 2025 15:40:11.127737999 CET	49761	445	192.168.2.4	75.40.242.200
Jan 15, 2025 15:40:11.127830029 CET	49761	445	192.168.2.4	75.40.242.200
Jan 15, 2025 15:40:11.128238916 CET	49762	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.133029938 CET	445	49762	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:11.133100033 CET	49762	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.133131981 CET	49762	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.133214951 CET	445	49761	75.40.242.200	192.168.2.4
Jan 15, 2025 15:40:11.133268118 CET	49761	445	192.168.2.4	75.40.242.200
Jan 15, 2025 15:40:11.134363890 CET	49763	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.137965918 CET	445	49762	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:11.138020039 CET	49762	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.139256954 CET	445	49763	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:11.139336109 CET	49763	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.139363050 CET	49763	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:11.144179106 CET	445	49763	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:13.138967991 CET	49786	445	192.168.2.4	43.95.77.84
Jan 15, 2025 15:40:13.143811941 CET	445	49786	43.95.77.84	192.168.2.4
Jan 15, 2025 15:40:13.143886089 CET	49786	445	192.168.2.4	43.95.77.84
Jan 15, 2025 15:40:13.143919945 CET	49786	445	192.168.2.4	43.95.77.84
Jan 15, 2025 15:40:13.144109011 CET	49787	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.149013042 CET	445	49787	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:13.149074078 CET	49787	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.149139881 CET	49787	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.149949074 CET	445	49786	43.95.77.84	192.168.2.4
Jan 15, 2025 15:40:13.149997950 CET	49786	445	192.168.2.4	43.95.77.84
Jan 15, 2025 15:40:13.150566101 CET	49788	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.154158115 CET	445	49787	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:13.154217958 CET	49787	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.155364037 CET	445	49788	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:13.155425072 CET	49788	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.155462980 CET	49788	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:13.160238028 CET	445	49788	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:15.167879105 CET	49810	445	192.168.2.4	20.119.231.200
Jan 15, 2025 15:40:15.172792912 CET	445	49810	20.119.231.200	192.168.2.4
Jan 15, 2025 15:40:15.172884941 CET	49810	445	192.168.2.4	20.119.231.200
Jan 15, 2025 15:40:15.173044920 CET	49810	445	192.168.2.4	20.119.231.200
Jan 15, 2025 15:40:15.173176050 CET	49812	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.177886009 CET	445	49810	20.119.231.200	192.168.2.4
Jan 15, 2025 15:40:15.177949905 CET	49810	445	192.168.2.4	20.119.231.200
Jan 15, 2025 15:40:15.177966118 CET	445	49812	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:15.178018093 CET	49812	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.178106070 CET	49812	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.182971001 CET	445	49812	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:15.183034897 CET	49812	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.187146902 CET	49813	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.192035913 CET	445	49813	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:15.192111015 CET	49813	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.192184925 CET	49813	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:15.196933031 CET	445	49813	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:17.169877052 CET	49832	445	192.168.2.4	34.70.129.79
Jan 15, 2025 15:40:17.174841881 CET	445	49832	34.70.129.79	192.168.2.4
Jan 15, 2025 15:40:17.174931049 CET	49832	445	192.168.2.4	34.70.129.79
Jan 15, 2025 15:40:17.175169945 CET	49832	445	192.168.2.4	34.70.129.79
Jan 15, 2025 15:40:17.175559998 CET	49833	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.179964066 CET	445	49832	34.70.129.79	192.168.2.4
Jan 15, 2025 15:40:17.180094004 CET	49832	445	192.168.2.4	34.70.129.79
Jan 15, 2025 15:40:17.180341959 CET	445	49833	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:17.180408001 CET	49833	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.180428028 CET	49833	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.181355000 CET	49834	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.185954094 CET	445	49833	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:17.186007023 CET	49833	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.186177015 CET	445	49834	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:17.186261892 CET	49834	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.186311960 CET	49834	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:17.191056013 CET	445	49834	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:19.185401917 CET	49855	445	192.168.2.4	165.109.216.71
Jan 15, 2025 15:40:19.190412045 CET	445	49855	165.109.216.71	192.168.2.4
Jan 15, 2025 15:40:19.190495014 CET	49855	445	192.168.2.4	165.109.216.71
Jan 15, 2025 15:40:19.190604925 CET	49855	445	192.168.2.4	165.109.216.71
Jan 15, 2025 15:40:19.190911055 CET	49856	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.195650101 CET	445	49855	165.109.216.71	192.168.2.4
Jan 15, 2025 15:40:19.195736885 CET	445	49856	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:19.195761919 CET	49855	445	192.168.2.4	165.109.216.71
Jan 15, 2025 15:40:19.195812941 CET	49856	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.195863962 CET	49856	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.197340012 CET	49857	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.201308012 CET	445	49856	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:19.201384068 CET	49856	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.202513933 CET	445	49857	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:19.202604055 CET	49857	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.202694893 CET	49857	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:19.207401991 CET	445	49857	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:20.918807983 CET	49723	80	192.168.2.4	199.232.210.172
Jan 15, 2025 15:40:20.924346924 CET	80	49723	199.232.210.172	192.168.2.4
Jan 15, 2025 15:40:20.924412012 CET	49723	80	192.168.2.4	199.232.210.172
Jan 15, 2025 15:40:21.199878931 CET	49884	445	192.168.2.4	111.199.171.239
Jan 15, 2025 15:40:21.204822063 CET	445	49884	111.199.171.239	192.168.2.4
Jan 15, 2025 15:40:21.204899073 CET	49884	445	192.168.2.4	111.199.171.239
Jan 15, 2025 15:40:21.204927921 CET	49884	445	192.168.2.4	111.199.171.239
Jan 15, 2025 15:40:21.205106020 CET	49885	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.209918976 CET	445	49884	111.199.171.239	192.168.2.4
Jan 15, 2025 15:40:21.209953070 CET	445	49885	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:21.209981918 CET	49884	445	192.168.2.4	111.199.171.239
Jan 15, 2025 15:40:21.210021019 CET	49885	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.210114956 CET	49885	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.210386992 CET	49886	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.215053082 CET	445	49885	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:21.215274096 CET	445	49886	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:21.215333939 CET	49885	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.215358019 CET	49886	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.215418100 CET	49886	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:21.220232964 CET	445	49886	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:23.215852976 CET	49911	445	192.168.2.4	76.71.199.22
Jan 15, 2025 15:40:23.220804930 CET	445	49911	76.71.199.22	192.168.2.4
Jan 15, 2025 15:40:23.220899105 CET	49911	445	192.168.2.4	76.71.199.22
Jan 15, 2025 15:40:23.220944881 CET	49911	445	192.168.2.4	76.71.199.22
Jan 15, 2025 15:40:23.221054077 CET	49912	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.225960016 CET	445	49911	76.71.199.22	192.168.2.4
Jan 15, 2025 15:40:23.225990057 CET	445	49912	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:23.226039886 CET	49911	445	192.168.2.4	76.71.199.22
Jan 15, 2025 15:40:23.226068020 CET	49912	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.226080894 CET	49912	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.226259947 CET	49913	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.231113911 CET	445	49912	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:23.231147051 CET	445	49913	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:23.231199980 CET	49912	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.231215954 CET	49913	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.231254101 CET	49913	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:23.236258030 CET	445	49913	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:25.231451988 CET	49935	445	192.168.2.4	32.41.128.239
Jan 15, 2025 15:40:25.236372948 CET	445	49935	32.41.128.239	192.168.2.4
Jan 15, 2025 15:40:25.239413023 CET	49935	445	192.168.2.4	32.41.128.239
Jan 15, 2025 15:40:25.239453077 CET	49935	445	192.168.2.4	32.41.128.239
Jan 15, 2025 15:40:25.239599943 CET	49936	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.244435072 CET	445	49936	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:25.244477987 CET	445	49935	32.41.128.239	192.168.2.4
Jan 15, 2025 15:40:25.244517088 CET	49936	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.244544983 CET	49935	445	192.168.2.4	32.41.128.239
Jan 15, 2025 15:40:25.244615078 CET	49936	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.244863987 CET	49937	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.249510050 CET	445	49936	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:25.249583960 CET	49936	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.249671936 CET	445	49937	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:25.250355959 CET	49937	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.250400066 CET	49937	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:25.255220890 CET	445	49937	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:27.246754885 CET	49960	445	192.168.2.4	183.201.58.208
Jan 15, 2025 15:40:27.251645088 CET	445	49960	183.201.58.208	192.168.2.4
Jan 15, 2025 15:40:27.251729965 CET	49960	445	192.168.2.4	183.201.58.208
Jan 15, 2025 15:40:27.251769066 CET	49960	445	192.168.2.4	183.201.58.208
Jan 15, 2025 15:40:27.252024889 CET	49961	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.256650925 CET	445	49960	183.201.58.208	192.168.2.4
Jan 15, 2025 15:40:27.256700039 CET	49960	445	192.168.2.4	183.201.58.208
Jan 15, 2025 15:40:27.256814003 CET	445	49961	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:27.256875992 CET	49961	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.256910086 CET	49961	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.257221937 CET	49962	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.261790037 CET	445	49961	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:27.261856079 CET	49961	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.261992931 CET	445	49962	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:27.262038946 CET	49962	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.262053013 CET	49962	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:27.266820908 CET	445	49962	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:29.263159990 CET	49983	445	192.168.2.4	150.113.209.75
Jan 15, 2025 15:40:29.267970085 CET	445	49983	150.113.209.75	192.168.2.4
Jan 15, 2025 15:40:29.268090963 CET	49983	445	192.168.2.4	150.113.209.75
Jan 15, 2025 15:40:29.268090963 CET	49983	445	192.168.2.4	150.113.209.75
Jan 15, 2025 15:40:29.268364906 CET	49984	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.272994995 CET	445	49983	150.113.209.75	192.168.2.4
Jan 15, 2025 15:40:29.273216009 CET	49983	445	192.168.2.4	150.113.209.75
Jan 15, 2025 15:40:29.273245096 CET	445	49984	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:29.273312092 CET	49984	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.273396015 CET	49984	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.273565054 CET	49985	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.278362989 CET	445	49985	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:29.278423071 CET	49985	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.278445959 CET	49985	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.278918028 CET	445	49984	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:29.278976917 CET	49984	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:29.283216953 CET	445	49985	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:30.532880068 CET	445	49737	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:30.532974005 CET	49737	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:30.533036947 CET	49737	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:30.533107042 CET	49737	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:30.538054943 CET	445	49737	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:30.538141966 CET	445	49737	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:31.278137922 CET	50007	445	192.168.2.4	163.46.23.25
Jan 15, 2025 15:40:31.282984972 CET	445	50007	163.46.23.25	192.168.2.4
Jan 15, 2025 15:40:31.283071995 CET	50007	445	192.168.2.4	163.46.23.25
Jan 15, 2025 15:40:31.283107042 CET	50007	445	192.168.2.4	163.46.23.25
Jan 15, 2025 15:40:31.283301115 CET	50008	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.288182974 CET	445	50008	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:31.288214922 CET	445	50007	163.46.23.25	192.168.2.4
Jan 15, 2025 15:40:31.288259029 CET	50008	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.288286924 CET	50007	445	192.168.2.4	163.46.23.25
Jan 15, 2025 15:40:31.288397074 CET	50008	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.288722992 CET	50009	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.293272018 CET	445	50008	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:31.293334007 CET	50008	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.293572903 CET	445	50009	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:31.293629885 CET	50009	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.293653011 CET	50009	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:31.298505068 CET	445	50009	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:32.528517962 CET	445	49763	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:32.528657913 CET	49763	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:32.528702974 CET	49763	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:32.528776884 CET	49763	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:32.533565998 CET	445	49763	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:32.533595085 CET	445	49763	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:33.293762922 CET	50032	445	192.168.2.4	56.131.124.59
Jan 15, 2025 15:40:33.298681021 CET	445	50032	56.131.124.59	192.168.2.4
Jan 15, 2025 15:40:33.298857927 CET	50032	445	192.168.2.4	56.131.124.59
Jan 15, 2025 15:40:33.298858881 CET	50032	445	192.168.2.4	56.131.124.59
Jan 15, 2025 15:40:33.298939943 CET	50033	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.303764105 CET	445	50033	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:33.303872108 CET	50033	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.303884029 CET	50033	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.303951025 CET	445	50032	56.131.124.59	192.168.2.4
Jan 15, 2025 15:40:33.304011106 CET	50032	445	192.168.2.4	56.131.124.59
Jan 15, 2025 15:40:33.304223061 CET	50034	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.309153080 CET	445	50034	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:33.309278011 CET	50034	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.309324026 CET	50034	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.311378002 CET	445	50033	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:33.312745094 CET	445	50033	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:33.312794924 CET	50033	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:33.314137936 CET	445	50034	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:33.543556929 CET	50038	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:33.550335884 CET	445	50038	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:33.550434113 CET	50038	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:33.550482988 CET	50038	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:33.558953047 CET	445	50038	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:34.530637980 CET	445	49788	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:34.530827045 CET	49788	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:34.530827045 CET	49788	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:34.530873060 CET	49788	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:34.535768986 CET	445	49788	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:34.535798073 CET	445	49788	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:35.309659004 CET	50040	445	192.168.2.4	10.10.127.62
Jan 15, 2025 15:40:35.314596891 CET	445	50040	10.10.127.62	192.168.2.4
Jan 15, 2025 15:40:35.314701080 CET	50040	445	192.168.2.4	10.10.127.62
Jan 15, 2025 15:40:35.314766884 CET	50040	445	192.168.2.4	10.10.127.62
Jan 15, 2025 15:40:35.314893007 CET	50041	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.319600105 CET	445	50040	10.10.127.62	192.168.2.4
Jan 15, 2025 15:40:35.319655895 CET	50040	445	192.168.2.4	10.10.127.62
Jan 15, 2025 15:40:35.319690943 CET	445	50041	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:35.319740057 CET	50041	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.319802046 CET	50041	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.320018053 CET	50042	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.324634075 CET	445	50041	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:35.324680090 CET	50041	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.324836969 CET	445	50042	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:35.324894905 CET	50042	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.324938059 CET	50042	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:35.329725027 CET	445	50042	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:35.543581009 CET	50043	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:35.548446894 CET	445	50043	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:35.548532009 CET	50043	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:35.548624992 CET	50043	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:35.553411961 CET	445	50043	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:36.574475050 CET	445	49813	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:36.575190067 CET	49813	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:36.575239897 CET	49813	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:36.575330019 CET	49813	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:36.580168009 CET	445	49813	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:36.580198050 CET	445	49813	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:37.325073957 CET	50044	445	192.168.2.4	126.222.69.217
Jan 15, 2025 15:40:37.329947948 CET	445	50044	126.222.69.217	192.168.2.4
Jan 15, 2025 15:40:37.330082893 CET	50044	445	192.168.2.4	126.222.69.217
Jan 15, 2025 15:40:37.330147028 CET	50044	445	192.168.2.4	126.222.69.217
Jan 15, 2025 15:40:37.330282927 CET	50045	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.334985018 CET	445	50044	126.222.69.217	192.168.2.4
Jan 15, 2025 15:40:37.335086107 CET	50044	445	192.168.2.4	126.222.69.217
Jan 15, 2025 15:40:37.335139036 CET	445	50045	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:37.335226059 CET	50045	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.335263968 CET	50045	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.335661888 CET	50046	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.340264082 CET	445	50045	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:37.340337992 CET	50045	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.340450048 CET	445	50046	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:37.340514898 CET	50046	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.340567112 CET	50046	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:37.345352888 CET	445	50046	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:37.543615103 CET	50047	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:37.548521042 CET	445	50047	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:37.548640013 CET	50047	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:37.548787117 CET	50047	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:37.553505898 CET	445	50047	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:38.573852062 CET	445	49834	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:38.574038029 CET	49834	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:38.574105024 CET	49834	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:38.574191093 CET	49834	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:38.579700947 CET	445	49834	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:38.579787016 CET	445	49834	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:39.341056108 CET	50048	445	192.168.2.4	135.243.33.218
Jan 15, 2025 15:40:39.345904112 CET	445	50048	135.243.33.218	192.168.2.4
Jan 15, 2025 15:40:39.346097946 CET	50048	445	192.168.2.4	135.243.33.218
Jan 15, 2025 15:40:39.346097946 CET	50048	445	192.168.2.4	135.243.33.218
Jan 15, 2025 15:40:39.346227884 CET	50049	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.351057053 CET	445	50049	135.243.33.1	192.168.2.4
Jan 15, 2025 15:40:39.351130962 CET	50049	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.351210117 CET	50049	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.351213932 CET	445	50048	135.243.33.218	192.168.2.4
Jan 15, 2025 15:40:39.351272106 CET	50048	445	192.168.2.4	135.243.33.218
Jan 15, 2025 15:40:39.351497889 CET	50050	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.356329918 CET	445	50049	135.243.33.1	192.168.2.4
Jan 15, 2025 15:40:39.356359959 CET	445	50050	135.243.33.1	192.168.2.4
Jan 15, 2025 15:40:39.356416941 CET	50049	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.356522083 CET	50050	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.356612921 CET	50050	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:40:39.361496925 CET	445	50050	135.243.33.1	192.168.2.4
Jan 15, 2025 15:40:39.590598106 CET	50051	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:39.595391989 CET	445	50051	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:39.595504999 CET	50051	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:39.595555067 CET	50051	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:40:39.600281954 CET	445	50051	20.119.231.1	192.168.2.4
Jan 15, 2025 15:40:40.558826923 CET	445	49857	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:40.558954954 CET	49857	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:40.559062004 CET	49857	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:40.559190989 CET	49857	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:40.563905954 CET	445	49857	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:40.564029932 CET	445	49857	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:41.356219053 CET	50052	445	192.168.2.4	79.143.219.148
Jan 15, 2025 15:40:41.379796982 CET	445	50052	79.143.219.148	192.168.2.4
Jan 15, 2025 15:40:41.379885912 CET	50052	445	192.168.2.4	79.143.219.148
Jan 15, 2025 15:40:41.380014896 CET	50052	445	192.168.2.4	79.143.219.148
Jan 15, 2025 15:40:41.380212069 CET	50053	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.384941101 CET	445	50052	79.143.219.148	192.168.2.4
Jan 15, 2025 15:40:41.385019064 CET	445	50053	79.143.219.1	192.168.2.4
Jan 15, 2025 15:40:41.385020971 CET	50052	445	192.168.2.4	79.143.219.148
Jan 15, 2025 15:40:41.385077000 CET	50053	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.385133028 CET	50053	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.385422945 CET	50054	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.390062094 CET	445	50053	79.143.219.1	192.168.2.4
Jan 15, 2025 15:40:41.390134096 CET	50053	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.390259981 CET	445	50054	79.143.219.1	192.168.2.4
Jan 15, 2025 15:40:41.390321970 CET	50054	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.390361071 CET	50054	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:40:41.395215034 CET	445	50054	79.143.219.1	192.168.2.4
Jan 15, 2025 15:40:41.574938059 CET	50055	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:41.579860926 CET	445	50055	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:41.580014944 CET	50055	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:41.580135107 CET	50055	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:40:41.584958076 CET	445	50055	34.70.129.1	192.168.2.4
Jan 15, 2025 15:40:42.574582100 CET	445	49886	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:42.574651957 CET	49886	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:42.574697971 CET	49886	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:42.574752092 CET	49886	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:42.579577923 CET	445	49886	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:42.579607964 CET	445	49886	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:43.372138023 CET	50056	445	192.168.2.4	94.240.109.39
Jan 15, 2025 15:40:43.574975967 CET	50057	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:44.251537085 CET	445	50056	94.240.109.39	192.168.2.4
Jan 15, 2025 15:40:44.251594067 CET	445	50057	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:44.251728058 CET	50056	445	192.168.2.4	94.240.109.39
Jan 15, 2025 15:40:44.251769066 CET	50056	445	192.168.2.4	94.240.109.39
Jan 15, 2025 15:40:44.251873016 CET	50057	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:44.251873016 CET	50057	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:40:44.252055883 CET	50058	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.256707907 CET	445	50056	94.240.109.39	192.168.2.4
Jan 15, 2025 15:40:44.256759882 CET	445	50057	165.109.216.1	192.168.2.4
Jan 15, 2025 15:40:44.256841898 CET	50056	445	192.168.2.4	94.240.109.39
Jan 15, 2025 15:40:44.256907940 CET	445	50058	94.240.109.1	192.168.2.4
Jan 15, 2025 15:40:44.256978035 CET	50058	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.257031918 CET	50058	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.257410049 CET	50059	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.262111902 CET	445	50058	94.240.109.1	192.168.2.4
Jan 15, 2025 15:40:44.262187004 CET	50058	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.262236118 CET	445	50059	94.240.109.1	192.168.2.4
Jan 15, 2025 15:40:44.262303114 CET	50059	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.262345076 CET	50059	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:40:44.267175913 CET	445	50059	94.240.109.1	192.168.2.4
Jan 15, 2025 15:40:44.591468096 CET	445	49913	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:44.591597080 CET	49913	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:44.591638088 CET	49913	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:44.591686964 CET	49913	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:44.597315073 CET	445	49913	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:44.597846031 CET	445	49913	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:45.269994974 CET	50060	445	192.168.2.4	139.184.56.228
Jan 15, 2025 15:40:45.274892092 CET	445	50060	139.184.56.228	192.168.2.4
Jan 15, 2025 15:40:45.274981976 CET	50060	445	192.168.2.4	139.184.56.228
Jan 15, 2025 15:40:45.279339075 CET	50060	445	192.168.2.4	139.184.56.228
Jan 15, 2025 15:40:45.279504061 CET	50061	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.284207106 CET	445	50060	139.184.56.228	192.168.2.4
Jan 15, 2025 15:40:45.284272909 CET	50060	445	192.168.2.4	139.184.56.228
Jan 15, 2025 15:40:45.284413099 CET	445	50061	139.184.56.1	192.168.2.4
Jan 15, 2025 15:40:45.284472942 CET	50061	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.288459063 CET	50061	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.293389082 CET	445	50061	139.184.56.1	192.168.2.4
Jan 15, 2025 15:40:45.293458939 CET	50061	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.308940887 CET	50062	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.313848019 CET	445	50062	139.184.56.1	192.168.2.4
Jan 15, 2025 15:40:45.313908100 CET	50062	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.313930988 CET	50062	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:40:45.318799019 CET	445	50062	139.184.56.1	192.168.2.4
Jan 15, 2025 15:40:45.590334892 CET	50063	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:45.595689058 CET	445	50063	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:45.595777035 CET	50063	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:45.595813990 CET	50063	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:40:45.601073980 CET	445	50063	111.199.171.1	192.168.2.4
Jan 15, 2025 15:40:46.622755051 CET	445	49937	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:46.622972965 CET	49937	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:46.623028040 CET	49937	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:46.623085976 CET	49937	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:46.627835035 CET	445	49937	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:46.627918005 CET	445	49937	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:47.606612921 CET	50065	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:47.611387014 CET	445	50065	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:47.611449957 CET	50065	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:47.611485958 CET	50065	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:40:47.616347075 CET	445	50065	76.71.199.1	192.168.2.4
Jan 15, 2025 15:40:48.121634960 CET	50066	445	192.168.2.4	76.16.231.119
Jan 15, 2025 15:40:48.126477003 CET	445	50066	76.16.231.119	192.168.2.4
Jan 15, 2025 15:40:48.126542091 CET	50066	445	192.168.2.4	76.16.231.119
Jan 15, 2025 15:40:48.126621962 CET	50066	445	192.168.2.4	76.16.231.119
Jan 15, 2025 15:40:48.126770020 CET	50067	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.131455898 CET	445	50066	76.16.231.119	192.168.2.4
Jan 15, 2025 15:40:48.131503105 CET	50066	445	192.168.2.4	76.16.231.119
Jan 15, 2025 15:40:48.131545067 CET	445	50067	76.16.231.1	192.168.2.4
Jan 15, 2025 15:40:48.131803989 CET	50067	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.131869078 CET	50067	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.132167101 CET	50068	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.136923075 CET	445	50067	76.16.231.1	192.168.2.4
Jan 15, 2025 15:40:48.136934996 CET	445	50068	76.16.231.1	192.168.2.4
Jan 15, 2025 15:40:48.137012959 CET	50067	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.137043953 CET	50068	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.137087107 CET	50068	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:40:48.141870975 CET	445	50068	76.16.231.1	192.168.2.4
Jan 15, 2025 15:40:48.622744083 CET	445	49962	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:48.622817993 CET	49962	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:48.622857094 CET	49962	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:48.622870922 CET	49962	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:48.627667904 CET	445	49962	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:48.627697945 CET	445	49962	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:48.653281927 CET	50069	445	192.168.2.4	223.125.161.111
Jan 15, 2025 15:40:48.658080101 CET	445	50069	223.125.161.111	192.168.2.4
Jan 15, 2025 15:40:48.658164024 CET	50069	445	192.168.2.4	223.125.161.111
Jan 15, 2025 15:40:48.658251047 CET	50069	445	192.168.2.4	223.125.161.111
Jan 15, 2025 15:40:48.658472061 CET	50070	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.663135052 CET	445	50069	223.125.161.111	192.168.2.4
Jan 15, 2025 15:40:48.663203955 CET	50069	445	192.168.2.4	223.125.161.111
Jan 15, 2025 15:40:48.663327932 CET	445	50070	223.125.161.1	192.168.2.4
Jan 15, 2025 15:40:48.663397074 CET	50070	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.663455009 CET	50070	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.663769960 CET	50071	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.668281078 CET	445	50070	223.125.161.1	192.168.2.4
Jan 15, 2025 15:40:48.668365002 CET	50070	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.668625116 CET	445	50071	223.125.161.1	192.168.2.4
Jan 15, 2025 15:40:48.668680906 CET	50071	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.668720961 CET	50071	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:40:48.673537016 CET	445	50071	223.125.161.1	192.168.2.4
Jan 15, 2025 15:40:49.637392998 CET	50072	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:49.642215014 CET	445	50072	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:49.642299891 CET	50072	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:49.642321110 CET	50072	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:40:49.647123098 CET	445	50072	32.41.128.1	192.168.2.4
Jan 15, 2025 15:40:50.184590101 CET	50073	445	192.168.2.4	205.104.64.10
Jan 15, 2025 15:40:50.189418077 CET	445	50073	205.104.64.10	192.168.2.4
Jan 15, 2025 15:40:50.189511061 CET	50073	445	192.168.2.4	205.104.64.10
Jan 15, 2025 15:40:50.189593077 CET	50073	445	192.168.2.4	205.104.64.10
Jan 15, 2025 15:40:50.189713001 CET	50074	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.194999933 CET	445	50074	205.104.64.1	192.168.2.4
Jan 15, 2025 15:40:50.195193052 CET	50074	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.195290089 CET	50074	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.195321083 CET	445	50073	205.104.64.10	192.168.2.4
Jan 15, 2025 15:40:50.195636034 CET	50075	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.196489096 CET	445	50073	205.104.64.10	192.168.2.4
Jan 15, 2025 15:40:50.196547985 CET	50073	445	192.168.2.4	205.104.64.10
Jan 15, 2025 15:40:50.200506926 CET	445	50075	205.104.64.1	192.168.2.4
Jan 15, 2025 15:40:50.200577974 CET	50075	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.200630903 CET	50075	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.201255083 CET	445	50074	205.104.64.1	192.168.2.4
Jan 15, 2025 15:40:50.201320887 CET	50074	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:40:50.205399036 CET	445	50075	205.104.64.1	192.168.2.4
Jan 15, 2025 15:40:50.654041052 CET	445	49985	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:50.654122114 CET	49985	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:50.654161930 CET	49985	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:50.654222012 CET	49985	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:50.658981085 CET	445	49985	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:50.658992052 CET	445	49985	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:51.606475115 CET	50076	445	192.168.2.4	52.127.103.109
Jan 15, 2025 15:40:51.611293077 CET	445	50076	52.127.103.109	192.168.2.4
Jan 15, 2025 15:40:51.611412048 CET	50076	445	192.168.2.4	52.127.103.109
Jan 15, 2025 15:40:51.611443043 CET	50076	445	192.168.2.4	52.127.103.109
Jan 15, 2025 15:40:51.611615896 CET	50077	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.616362095 CET	445	50077	52.127.103.1	192.168.2.4
Jan 15, 2025 15:40:51.616465092 CET	50077	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.616554022 CET	445	50076	52.127.103.109	192.168.2.4
Jan 15, 2025 15:40:51.616561890 CET	50077	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.616606951 CET	50076	445	192.168.2.4	52.127.103.109
Jan 15, 2025 15:40:51.616879940 CET	50078	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.621637106 CET	445	50078	52.127.103.1	192.168.2.4
Jan 15, 2025 15:40:51.621733904 CET	50078	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.621792078 CET	50078	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.621957064 CET	445	50077	52.127.103.1	192.168.2.4
Jan 15, 2025 15:40:51.622014046 CET	50077	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:40:51.626502991 CET	445	50078	52.127.103.1	192.168.2.4
Jan 15, 2025 15:40:51.637408972 CET	50079	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:51.642191887 CET	445	50079	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:51.642267942 CET	50079	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:51.642302990 CET	50079	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:40:51.647097111 CET	445	50079	183.201.58.1	192.168.2.4
Jan 15, 2025 15:40:52.658588886 CET	445	50009	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:52.658735991 CET	50009	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:52.658735991 CET	50009	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:52.658787966 CET	50009	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:52.663526058 CET	445	50009	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:52.663697004 CET	445	50009	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:52.934477091 CET	50080	445	192.168.2.4	219.171.12.201
Jan 15, 2025 15:40:52.939421892 CET	445	50080	219.171.12.201	192.168.2.4
Jan 15, 2025 15:40:52.939532042 CET	50080	445	192.168.2.4	219.171.12.201
Jan 15, 2025 15:40:52.939671993 CET	50080	445	192.168.2.4	219.171.12.201
Jan 15, 2025 15:40:52.939862013 CET	50081	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.944653988 CET	445	50081	219.171.12.1	192.168.2.4
Jan 15, 2025 15:40:52.944727898 CET	50081	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.944750071 CET	445	50080	219.171.12.201	192.168.2.4
Jan 15, 2025 15:40:52.944751978 CET	50081	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.944802999 CET	50080	445	192.168.2.4	219.171.12.201
Jan 15, 2025 15:40:52.945076942 CET	50082	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.949904919 CET	445	50082	219.171.12.1	192.168.2.4
Jan 15, 2025 15:40:52.949970961 CET	50082	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.950012922 CET	50082	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.950071096 CET	445	50081	219.171.12.1	192.168.2.4
Jan 15, 2025 15:40:52.950119972 CET	50081	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:40:52.954788923 CET	445	50082	219.171.12.1	192.168.2.4
Jan 15, 2025 15:40:53.668521881 CET	50083	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:53.673379898 CET	445	50083	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:53.673628092 CET	50083	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:53.673666954 CET	50083	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:40:53.678476095 CET	445	50083	150.113.209.1	192.168.2.4
Jan 15, 2025 15:40:54.169100046 CET	50084	445	192.168.2.4	68.7.6.18
Jan 15, 2025 15:40:54.174618006 CET	445	50084	68.7.6.18	192.168.2.4
Jan 15, 2025 15:40:54.174717903 CET	50084	445	192.168.2.4	68.7.6.18
Jan 15, 2025 15:40:54.174992085 CET	50084	445	192.168.2.4	68.7.6.18
Jan 15, 2025 15:40:54.175358057 CET	50085	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:40:54.180615902 CET	445	50085	68.7.6.1	192.168.2.4
Jan 15, 2025 15:40:54.180633068 CET	445	50084	68.7.6.18	192.168.2.4
Jan 15, 2025 15:40:54.180702925 CET	50084	445	192.168.2.4	68.7.6.18
Jan 15, 2025 15:40:54.180735111 CET	50085	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:40:54.181088924 CET	50086	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:40:54.187362909 CET	445	50085	68.7.6.1	192.168.2.4
Jan 15, 2025 15:40:54.187374115 CET	445	50086	68.7.6.1	192.168.2.4
Jan 15, 2025 15:40:54.187463045 CET	50085	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:40:54.187484026 CET	50086	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:40:54.187547922 CET	50086	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:40:54.192889929 CET	445	50086	68.7.6.1	192.168.2.4
Jan 15, 2025 15:40:54.701343060 CET	445	50034	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:54.701415062 CET	50034	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:54.701471090 CET	50034	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:54.701533079 CET	50034	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:54.706439972 CET	445	50034	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:54.706450939 CET	445	50034	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:54.919661045 CET	445	50038	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:54.919744015 CET	50038	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:54.919807911 CET	50038	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:54.919871092 CET	50038	445	192.168.2.4	85.207.211.1
Jan 15, 2025 15:40:54.924535036 CET	445	50038	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:54.924896955 CET	445	50038	85.207.211.1	192.168.2.4
Jan 15, 2025 15:40:54.981075048 CET	50087	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.986041069 CET	445	50087	85.207.211.2	192.168.2.4
Jan 15, 2025 15:40:54.986141920 CET	50087	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.986205101 CET	50087	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.986609936 CET	50088	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.991354942 CET	445	50087	85.207.211.2	192.168.2.4
Jan 15, 2025 15:40:54.991420031 CET	50087	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.992459059 CET	445	50088	85.207.211.2	192.168.2.4
Jan 15, 2025 15:40:54.992542028 CET	50088	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.992578030 CET	50088	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:40:54.997286081 CET	445	50088	85.207.211.2	192.168.2.4
Jan 15, 2025 15:40:55.325297117 CET	50089	445	192.168.2.4	221.134.212.57
Jan 15, 2025 15:40:55.331098080 CET	445	50089	221.134.212.57	192.168.2.4
Jan 15, 2025 15:40:55.331302881 CET	50089	445	192.168.2.4	221.134.212.57
Jan 15, 2025 15:40:55.331424952 CET	50089	445	192.168.2.4	221.134.212.57
Jan 15, 2025 15:40:55.331729889 CET	50090	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.336296082 CET	445	50089	221.134.212.57	192.168.2.4
Jan 15, 2025 15:40:55.336436033 CET	50089	445	192.168.2.4	221.134.212.57
Jan 15, 2025 15:40:55.338962078 CET	445	50090	221.134.212.1	192.168.2.4
Jan 15, 2025 15:40:55.339046955 CET	50090	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.339095116 CET	50090	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.339498997 CET	50091	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.344099045 CET	445	50090	221.134.212.1	192.168.2.4
Jan 15, 2025 15:40:55.344151974 CET	50090	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.344240904 CET	445	50091	221.134.212.1	192.168.2.4
Jan 15, 2025 15:40:55.344322920 CET	50091	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.344341040 CET	50091	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:40:55.349071980 CET	445	50091	221.134.212.1	192.168.2.4
Jan 15, 2025 15:40:55.668436050 CET	50092	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:55.673563957 CET	445	50092	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:55.673644066 CET	50092	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:55.673687935 CET	50092	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:40:55.678509951 CET	445	50092	163.46.23.1	192.168.2.4
Jan 15, 2025 15:40:56.403379917 CET	50093	445	192.168.2.4	7.211.44.86
Jan 15, 2025 15:40:56.408169031 CET	445	50093	7.211.44.86	192.168.2.4
Jan 15, 2025 15:40:56.408272982 CET	50093	445	192.168.2.4	7.211.44.86
Jan 15, 2025 15:40:56.408303976 CET	50093	445	192.168.2.4	7.211.44.86
Jan 15, 2025 15:40:56.408477068 CET	50094	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.413276911 CET	445	50094	7.211.44.1	192.168.2.4
Jan 15, 2025 15:40:56.413325071 CET	50094	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.413357019 CET	50094	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.413790941 CET	445	50093	7.211.44.86	192.168.2.4
Jan 15, 2025 15:40:56.413821936 CET	50095	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.413832903 CET	50093	445	192.168.2.4	7.211.44.86
Jan 15, 2025 15:40:56.418252945 CET	445	50094	7.211.44.1	192.168.2.4
Jan 15, 2025 15:40:56.418339968 CET	50094	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.418787003 CET	445	50095	7.211.44.1	192.168.2.4
Jan 15, 2025 15:40:56.418843985 CET	50095	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.418976068 CET	50095	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:40:56.423702955 CET	445	50095	7.211.44.1	192.168.2.4
Jan 15, 2025 15:40:56.703299046 CET	445	50042	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:56.703386068 CET	50042	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:56.703417063 CET	50042	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:56.703455925 CET	50042	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:56.708206892 CET	445	50042	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:56.708348989 CET	445	50042	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:56.918713093 CET	445	50043	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:56.918791056 CET	50043	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:56.918848038 CET	50043	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:56.918941975 CET	50043	445	192.168.2.4	75.40.242.1
Jan 15, 2025 15:40:56.923688889 CET	445	50043	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:56.923845053 CET	445	50043	75.40.242.1	192.168.2.4
Jan 15, 2025 15:40:56.981344938 CET	50096	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.986268997 CET	445	50096	75.40.242.2	192.168.2.4
Jan 15, 2025 15:40:56.986440897 CET	50096	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.986483097 CET	50096	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.986958027 CET	50097	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.991352081 CET	445	50096	75.40.242.2	192.168.2.4
Jan 15, 2025 15:40:56.991602898 CET	445	50096	75.40.242.2	192.168.2.4
Jan 15, 2025 15:40:56.991671085 CET	50096	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.991735935 CET	445	50097	75.40.242.2	192.168.2.4
Jan 15, 2025 15:40:56.991799116 CET	50097	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.991985083 CET	50097	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:40:56.996753931 CET	445	50097	75.40.242.2	192.168.2.4
Jan 15, 2025 15:40:57.420025110 CET	50098	445	192.168.2.4	13.201.100.218
Jan 15, 2025 15:40:57.424988985 CET	445	50098	13.201.100.218	192.168.2.4
Jan 15, 2025 15:40:57.425066948 CET	50098	445	192.168.2.4	13.201.100.218
Jan 15, 2025 15:40:57.425144911 CET	50098	445	192.168.2.4	13.201.100.218
Jan 15, 2025 15:40:57.425280094 CET	50099	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.430083036 CET	445	50099	13.201.100.1	192.168.2.4
Jan 15, 2025 15:40:57.430144072 CET	50099	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.430211067 CET	50099	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.431108952 CET	445	50098	13.201.100.218	192.168.2.4
Jan 15, 2025 15:40:57.431162119 CET	50098	445	192.168.2.4	13.201.100.218
Jan 15, 2025 15:40:57.432588100 CET	50100	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.435281038 CET	445	50099	13.201.100.1	192.168.2.4
Jan 15, 2025 15:40:57.435326099 CET	50099	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.437472105 CET	445	50100	13.201.100.1	192.168.2.4
Jan 15, 2025 15:40:57.437542915 CET	50100	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.437572002 CET	50100	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:40:57.442394972 CET	445	50100	13.201.100.1	192.168.2.4
Jan 15, 2025 15:40:57.715362072 CET	50102	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:57.721452951 CET	445	50102	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:57.721549988 CET	50102	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:57.721579075 CET	50102	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:40:57.727781057 CET	445	50102	56.131.124.1	192.168.2.4
Jan 15, 2025 15:40:58.356213093 CET	50104	445	192.168.2.4	5.179.105.228
Jan 15, 2025 15:40:58.360996962 CET	445	50104	5.179.105.228	192.168.2.4
Jan 15, 2025 15:40:58.361072063 CET	50104	445	192.168.2.4	5.179.105.228
Jan 15, 2025 15:40:58.361118078 CET	50104	445	192.168.2.4	5.179.105.228
Jan 15, 2025 15:40:58.361335993 CET	50105	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.366163015 CET	445	50104	5.179.105.228	192.168.2.4
Jan 15, 2025 15:40:58.366229057 CET	445	50105	5.179.105.1	192.168.2.4
Jan 15, 2025 15:40:58.366247892 CET	50104	445	192.168.2.4	5.179.105.228
Jan 15, 2025 15:40:58.366281986 CET	50105	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.366355896 CET	50105	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.366570950 CET	50106	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.371223927 CET	445	50105	5.179.105.1	192.168.2.4
Jan 15, 2025 15:40:58.371279001 CET	50105	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.371356010 CET	445	50106	5.179.105.1	192.168.2.4
Jan 15, 2025 15:40:58.371408939 CET	50106	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.371453047 CET	50106	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:40:58.376183987 CET	445	50106	5.179.105.1	192.168.2.4
Jan 15, 2025 15:40:58.719639063 CET	445	50046	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:58.719754934 CET	50046	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:58.719799995 CET	50046	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:58.719826937 CET	50046	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:40:58.724601030 CET	445	50046	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:58.724662066 CET	445	50046	126.222.69.1	192.168.2.4
Jan 15, 2025 15:40:58.933610916 CET	445	50047	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:58.933705091 CET	50047	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:58.933813095 CET	50047	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:58.933999062 CET	50047	445	192.168.2.4	43.95.77.1
Jan 15, 2025 15:40:58.938644886 CET	445	50047	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:58.938822031 CET	445	50047	43.95.77.1	192.168.2.4
Jan 15, 2025 15:40:58.996877909 CET	50112	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.002295971 CET	445	50112	43.95.77.2	192.168.2.4
Jan 15, 2025 15:40:59.002589941 CET	50112	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.002589941 CET	50112	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.002932072 CET	50113	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.007828951 CET	445	50112	43.95.77.2	192.168.2.4
Jan 15, 2025 15:40:59.007865906 CET	445	50113	43.95.77.2	192.168.2.4
Jan 15, 2025 15:40:59.007926941 CET	50112	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.007989883 CET	50113	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.008039951 CET	50113	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:40:59.012870073 CET	445	50113	43.95.77.2	192.168.2.4
Jan 15, 2025 15:40:59.233422995 CET	50114	445	192.168.2.4	148.245.140.156
Jan 15, 2025 15:40:59.238302946 CET	445	50114	148.245.140.156	192.168.2.4
Jan 15, 2025 15:40:59.238378048 CET	50114	445	192.168.2.4	148.245.140.156
Jan 15, 2025 15:40:59.238399982 CET	50114	445	192.168.2.4	148.245.140.156
Jan 15, 2025 15:40:59.238557100 CET	50115	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.243310928 CET	445	50114	148.245.140.156	192.168.2.4
Jan 15, 2025 15:40:59.243401051 CET	445	50114	148.245.140.156	192.168.2.4
Jan 15, 2025 15:40:59.243411064 CET	445	50115	148.245.140.1	192.168.2.4
Jan 15, 2025 15:40:59.243439913 CET	50114	445	192.168.2.4	148.245.140.156
Jan 15, 2025 15:40:59.243493080 CET	50115	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.243568897 CET	50115	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.243961096 CET	50116	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.248377085 CET	445	50115	148.245.140.1	192.168.2.4
Jan 15, 2025 15:40:59.248421907 CET	50115	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.248691082 CET	445	50116	148.245.140.1	192.168.2.4
Jan 15, 2025 15:40:59.248742104 CET	50116	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.248800039 CET	50116	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:40:59.253520966 CET	445	50116	148.245.140.1	192.168.2.4
Jan 15, 2025 15:40:59.715508938 CET	50122	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:59.720423937 CET	445	50122	10.10.127.1	192.168.2.4
Jan 15, 2025 15:40:59.720535994 CET	50122	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:59.720535994 CET	50122	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:40:59.725327969 CET	445	50122	10.10.127.1	192.168.2.4
Jan 15, 2025 15:41:00.059779882 CET	50123	445	192.168.2.4	9.190.114.97
Jan 15, 2025 15:41:00.064608097 CET	445	50123	9.190.114.97	192.168.2.4
Jan 15, 2025 15:41:00.064718008 CET	50123	445	192.168.2.4	9.190.114.97
Jan 15, 2025 15:41:00.067429066 CET	50123	445	192.168.2.4	9.190.114.97
Jan 15, 2025 15:41:00.067605019 CET	50124	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.072315931 CET	445	50123	9.190.114.97	192.168.2.4
Jan 15, 2025 15:41:00.072379112 CET	50123	445	192.168.2.4	9.190.114.97
Jan 15, 2025 15:41:00.072396994 CET	445	50124	9.190.114.1	192.168.2.4
Jan 15, 2025 15:41:00.072478056 CET	50124	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.072506905 CET	50124	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.072788954 CET	50125	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.077466011 CET	445	50124	9.190.114.1	192.168.2.4
Jan 15, 2025 15:41:00.077584028 CET	445	50125	9.190.114.1	192.168.2.4
Jan 15, 2025 15:41:00.077615976 CET	50124	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.077660084 CET	50125	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.077696085 CET	50125	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:00.082468033 CET	445	50125	9.190.114.1	192.168.2.4
Jan 15, 2025 15:41:00.731899977 CET	445	50050	135.243.33.1	192.168.2.4
Jan 15, 2025 15:41:00.732966900 CET	50050	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:00.733031034 CET	50050	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:00.733135939 CET	50050	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:00.737826109 CET	445	50050	135.243.33.1	192.168.2.4
Jan 15, 2025 15:41:00.737879992 CET	445	50050	135.243.33.1	192.168.2.4
Jan 15, 2025 15:41:00.825037956 CET	50131	445	192.168.2.4	158.253.134.29
Jan 15, 2025 15:41:00.830640078 CET	445	50131	158.253.134.29	192.168.2.4
Jan 15, 2025 15:41:00.830727100 CET	50131	445	192.168.2.4	158.253.134.29
Jan 15, 2025 15:41:00.830801010 CET	50131	445	192.168.2.4	158.253.134.29
Jan 15, 2025 15:41:00.830919027 CET	50132	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.836441994 CET	445	50132	158.253.134.1	192.168.2.4
Jan 15, 2025 15:41:00.836545944 CET	50132	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.836612940 CET	50132	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.836884975 CET	445	50131	158.253.134.29	192.168.2.4
Jan 15, 2025 15:41:00.836937904 CET	50133	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.837011099 CET	50131	445	192.168.2.4	158.253.134.29
Jan 15, 2025 15:41:00.842221022 CET	445	50132	158.253.134.1	192.168.2.4
Jan 15, 2025 15:41:00.842278957 CET	50132	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.842355967 CET	445	50133	158.253.134.1	192.168.2.4
Jan 15, 2025 15:41:00.842413902 CET	50133	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.842427015 CET	50133	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:00.847985983 CET	445	50133	158.253.134.1	192.168.2.4
Jan 15, 2025 15:41:00.964745045 CET	445	50051	20.119.231.1	192.168.2.4
Jan 15, 2025 15:41:00.964843035 CET	50051	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:41:00.964904070 CET	50051	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:41:00.964997053 CET	50051	445	192.168.2.4	20.119.231.1
Jan 15, 2025 15:41:00.971632004 CET	445	50051	20.119.231.1	192.168.2.4
Jan 15, 2025 15:41:00.971646070 CET	445	50051	20.119.231.1	192.168.2.4
Jan 15, 2025 15:41:01.028126955 CET	50139	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.034320116 CET	445	50139	20.119.231.2	192.168.2.4
Jan 15, 2025 15:41:01.034408092 CET	50139	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.034435034 CET	50139	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.034790039 CET	50140	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.041505098 CET	445	50140	20.119.231.2	192.168.2.4
Jan 15, 2025 15:41:01.041568995 CET	50140	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.041598082 CET	50140	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.041606903 CET	445	50139	20.119.231.2	192.168.2.4
Jan 15, 2025 15:41:01.041661978 CET	50139	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:01.048660040 CET	445	50140	20.119.231.2	192.168.2.4
Jan 15, 2025 15:41:01.731129885 CET	50146	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:41:01.736638069 CET	445	50146	126.222.69.1	192.168.2.4
Jan 15, 2025 15:41:01.736707926 CET	50146	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:41:01.736741066 CET	50146	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:41:01.744422913 CET	445	50146	126.222.69.1	192.168.2.4
Jan 15, 2025 15:41:02.746337891 CET	445	50054	79.143.219.1	192.168.2.4
Jan 15, 2025 15:41:02.746572018 CET	50054	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:02.746618986 CET	50054	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:02.746618986 CET	50054	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:02.751413107 CET	445	50054	79.143.219.1	192.168.2.4
Jan 15, 2025 15:41:02.751432896 CET	445	50054	79.143.219.1	192.168.2.4
Jan 15, 2025 15:41:02.932934046 CET	445	50055	34.70.129.1	192.168.2.4
Jan 15, 2025 15:41:02.933059931 CET	50055	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:41:02.933060884 CET	50055	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:41:02.933136940 CET	50055	445	192.168.2.4	34.70.129.1
Jan 15, 2025 15:41:02.937939882 CET	445	50055	34.70.129.1	192.168.2.4
Jan 15, 2025 15:41:02.937956095 CET	445	50055	34.70.129.1	192.168.2.4
Jan 15, 2025 15:41:02.996756077 CET	50156	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.001878023 CET	445	50156	34.70.129.2	192.168.2.4
Jan 15, 2025 15:41:03.002008915 CET	50156	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.002052069 CET	50156	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.002446890 CET	50157	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.007303953 CET	445	50156	34.70.129.2	192.168.2.4
Jan 15, 2025 15:41:03.007369041 CET	445	50157	34.70.129.2	192.168.2.4
Jan 15, 2025 15:41:03.007385015 CET	50156	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.007424116 CET	50157	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.007453918 CET	50157	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:03.012320042 CET	445	50157	34.70.129.2	192.168.2.4
Jan 15, 2025 15:41:03.746692896 CET	50165	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:03.751472950 CET	445	50165	135.243.33.1	192.168.2.4
Jan 15, 2025 15:41:03.752976894 CET	50165	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:03.752996922 CET	50165	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:03.757746935 CET	445	50165	135.243.33.1	192.168.2.4
Jan 15, 2025 15:41:05.622888088 CET	445	50057	165.109.216.1	192.168.2.4
Jan 15, 2025 15:41:05.622999907 CET	50057	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:41:05.623172998 CET	50057	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:41:05.623172998 CET	50057	445	192.168.2.4	165.109.216.1
Jan 15, 2025 15:41:05.627974987 CET	445	50057	165.109.216.1	192.168.2.4
Jan 15, 2025 15:41:05.627990961 CET	445	50057	165.109.216.1	192.168.2.4
Jan 15, 2025 15:41:05.652422905 CET	445	50059	94.240.109.1	192.168.2.4
Jan 15, 2025 15:41:05.652693033 CET	50059	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:05.652777910 CET	50059	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:05.652831078 CET	50059	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:05.657587051 CET	445	50059	94.240.109.1	192.168.2.4
Jan 15, 2025 15:41:05.657617092 CET	445	50059	94.240.109.1	192.168.2.4
Jan 15, 2025 15:41:05.684144974 CET	50194	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.689069033 CET	445	50194	165.109.216.2	192.168.2.4
Jan 15, 2025 15:41:05.689147949 CET	50194	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.689232111 CET	50194	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.689568996 CET	50195	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.694055080 CET	445	50194	165.109.216.2	192.168.2.4
Jan 15, 2025 15:41:05.694118023 CET	50194	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.694396019 CET	445	50195	165.109.216.2	192.168.2.4
Jan 15, 2025 15:41:05.694453001 CET	50195	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.694498062 CET	50195	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:05.699228048 CET	445	50195	165.109.216.2	192.168.2.4
Jan 15, 2025 15:41:05.762340069 CET	50196	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:06.777673960 CET	50196	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:06.782274961 CET	445	50062	139.184.56.1	192.168.2.4
Jan 15, 2025 15:41:06.782376051 CET	50062	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:06.782475948 CET	50062	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:06.782475948 CET	50062	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:06.783222914 CET	445	50196	79.143.219.1	192.168.2.4
Jan 15, 2025 15:41:06.783243895 CET	445	50196	79.143.219.1	192.168.2.4
Jan 15, 2025 15:41:06.783337116 CET	50196	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:06.783390045 CET	50196	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:06.783390045 CET	50196	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:06.791883945 CET	445	50062	139.184.56.1	192.168.2.4
Jan 15, 2025 15:41:06.791904926 CET	445	50062	139.184.56.1	192.168.2.4
Jan 15, 2025 15:41:06.791925907 CET	445	50196	79.143.219.1	192.168.2.4
Jan 15, 2025 15:41:06.951293945 CET	445	50063	111.199.171.1	192.168.2.4
Jan 15, 2025 15:41:06.951518059 CET	50063	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:41:06.951518059 CET	50063	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:41:06.951518059 CET	50063	445	192.168.2.4	111.199.171.1
Jan 15, 2025 15:41:06.956545115 CET	445	50063	111.199.171.1	192.168.2.4
Jan 15, 2025 15:41:06.956578016 CET	445	50063	111.199.171.1	192.168.2.4
Jan 15, 2025 15:41:07.012207031 CET	50211	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.017286062 CET	445	50211	111.199.171.2	192.168.2.4
Jan 15, 2025 15:41:07.017357111 CET	50211	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.017460108 CET	50211	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.018126011 CET	50212	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.022432089 CET	445	50211	111.199.171.2	192.168.2.4
Jan 15, 2025 15:41:07.022485971 CET	50211	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.022972107 CET	445	50212	111.199.171.2	192.168.2.4
Jan 15, 2025 15:41:07.023036003 CET	50212	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.023070097 CET	50212	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:07.027831078 CET	445	50212	111.199.171.2	192.168.2.4
Jan 15, 2025 15:41:08.669030905 CET	50247	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:08.673944950 CET	445	50247	94.240.109.1	192.168.2.4
Jan 15, 2025 15:41:08.674036980 CET	50247	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:08.674071074 CET	50247	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:08.678896904 CET	445	50247	94.240.109.1	192.168.2.4
Jan 15, 2025 15:41:08.964745998 CET	445	50065	76.71.199.1	192.168.2.4
Jan 15, 2025 15:41:08.964864969 CET	50065	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:41:08.964909077 CET	50065	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:41:08.964934111 CET	50065	445	192.168.2.4	76.71.199.1
Jan 15, 2025 15:41:08.969655991 CET	445	50065	76.71.199.1	192.168.2.4
Jan 15, 2025 15:41:08.969845057 CET	445	50065	76.71.199.1	192.168.2.4
Jan 15, 2025 15:41:09.027847052 CET	50260	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.032622099 CET	445	50260	76.71.199.2	192.168.2.4
Jan 15, 2025 15:41:09.032722950 CET	50260	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.036462069 CET	50260	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.036782026 CET	50261	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.041260004 CET	445	50260	76.71.199.2	192.168.2.4
Jan 15, 2025 15:41:09.041325092 CET	50260	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.041639090 CET	445	50261	76.71.199.2	192.168.2.4
Jan 15, 2025 15:41:09.041702986 CET	50261	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.041831017 CET	50261	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:09.046637058 CET	445	50261	76.71.199.2	192.168.2.4
Jan 15, 2025 15:41:09.517257929 CET	445	50068	76.16.231.1	192.168.2.4
Jan 15, 2025 15:41:09.517316103 CET	50068	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:09.517368078 CET	50068	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:09.517426014 CET	50068	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:09.522203922 CET	445	50068	76.16.231.1	192.168.2.4
Jan 15, 2025 15:41:09.522248983 CET	445	50068	76.16.231.1	192.168.2.4
Jan 15, 2025 15:41:09.793457985 CET	50282	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:09.798326015 CET	445	50282	139.184.56.1	192.168.2.4
Jan 15, 2025 15:41:09.798418999 CET	50282	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:09.798446894 CET	50282	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:09.803245068 CET	445	50282	139.184.56.1	192.168.2.4
Jan 15, 2025 15:41:10.046794891 CET	445	50071	223.125.161.1	192.168.2.4
Jan 15, 2025 15:41:10.046900034 CET	50071	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:41:10.046900988 CET	50071	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:41:10.046986103 CET	50071	445	192.168.2.4	223.125.161.1
Jan 15, 2025 15:41:10.051775932 CET	445	50071	223.125.161.1	192.168.2.4
Jan 15, 2025 15:41:10.051791906 CET	445	50071	223.125.161.1	192.168.2.4
Jan 15, 2025 15:41:11.033360004 CET	445	50072	32.41.128.1	192.168.2.4
Jan 15, 2025 15:41:11.033454895 CET	50072	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:41:11.033480883 CET	50072	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:41:11.033510923 CET	50072	445	192.168.2.4	32.41.128.1
Jan 15, 2025 15:41:11.039447069 CET	445	50072	32.41.128.1	192.168.2.4
Jan 15, 2025 15:41:11.039522886 CET	445	50072	32.41.128.1	192.168.2.4
Jan 15, 2025 15:41:11.090816975 CET	50332	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.095783949 CET	445	50332	32.41.128.2	192.168.2.4
Jan 15, 2025 15:41:11.095890999 CET	50332	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.100740910 CET	50332	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.101185083 CET	50334	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.105598927 CET	445	50332	32.41.128.2	192.168.2.4
Jan 15, 2025 15:41:11.105667114 CET	50332	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.105998039 CET	445	50334	32.41.128.2	192.168.2.4
Jan 15, 2025 15:41:11.106066942 CET	50334	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.106123924 CET	50334	445	192.168.2.4	32.41.128.2
Jan 15, 2025 15:41:11.110876083 CET	445	50334	32.41.128.2	192.168.2.4
Jan 15, 2025 15:41:11.542907000 CET	445	50075	205.104.64.1	192.168.2.4
Jan 15, 2025 15:41:11.543082952 CET	50075	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:41:11.543174982 CET	50075	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:41:11.543174982 CET	50075	445	192.168.2.4	205.104.64.1
Jan 15, 2025 15:41:11.548429966 CET	445	50075	205.104.64.1	192.168.2.4
Jan 15, 2025 15:41:11.548470974 CET	445	50075	205.104.64.1	192.168.2.4
Jan 15, 2025 15:41:12.527861118 CET	50454	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:12.532790899 CET	445	50454	76.16.231.1	192.168.2.4
Jan 15, 2025 15:41:12.532958984 CET	50454	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:12.532994032 CET	50454	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:12.537857056 CET	445	50454	76.16.231.1	192.168.2.4
Jan 15, 2025 15:41:12.982767105 CET	445	50078	52.127.103.1	192.168.2.4
Jan 15, 2025 15:41:12.982831955 CET	50078	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:41:13.017828941 CET	445	50079	183.201.58.1	192.168.2.4
Jan 15, 2025 15:41:13.017874002 CET	50079	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:41:13.177653074 CET	50157	445	192.168.2.4	34.70.129.2
Jan 15, 2025 15:41:13.177689075 CET	50116	445	192.168.2.4	148.245.140.1
Jan 15, 2025 15:41:13.177783012 CET	50083	445	192.168.2.4	150.113.209.1
Jan 15, 2025 15:41:13.177819014 CET	50097	445	192.168.2.4	75.40.242.2
Jan 15, 2025 15:41:13.177826881 CET	50196	445	192.168.2.4	79.143.219.1
Jan 15, 2025 15:41:13.177887917 CET	50078	445	192.168.2.4	52.127.103.1
Jan 15, 2025 15:41:13.177923918 CET	50079	445	192.168.2.4	183.201.58.1
Jan 15, 2025 15:41:13.177973032 CET	50082	445	192.168.2.4	219.171.12.1
Jan 15, 2025 15:41:13.177989006 CET	50086	445	192.168.2.4	68.7.6.1
Jan 15, 2025 15:41:13.178033113 CET	50088	445	192.168.2.4	85.207.211.2
Jan 15, 2025 15:41:13.178034067 CET	50091	445	192.168.2.4	221.134.212.1
Jan 15, 2025 15:41:13.178046942 CET	50092	445	192.168.2.4	163.46.23.1
Jan 15, 2025 15:41:13.178070068 CET	50095	445	192.168.2.4	7.211.44.1
Jan 15, 2025 15:41:13.178092957 CET	50100	445	192.168.2.4	13.201.100.1
Jan 15, 2025 15:41:13.178116083 CET	50102	445	192.168.2.4	56.131.124.1
Jan 15, 2025 15:41:13.178133965 CET	50106	445	192.168.2.4	5.179.105.1
Jan 15, 2025 15:41:13.178150892 CET	50113	445	192.168.2.4	43.95.77.2
Jan 15, 2025 15:41:13.178177118 CET	50122	445	192.168.2.4	10.10.127.1
Jan 15, 2025 15:41:13.178204060 CET	50125	445	192.168.2.4	9.190.114.1
Jan 15, 2025 15:41:13.178231955 CET	50133	445	192.168.2.4	158.253.134.1
Jan 15, 2025 15:41:13.178250074 CET	50140	445	192.168.2.4	20.119.231.2
Jan 15, 2025 15:41:13.178267002 CET	50146	445	192.168.2.4	126.222.69.1
Jan 15, 2025 15:41:13.178294897 CET	50165	445	192.168.2.4	135.243.33.1
Jan 15, 2025 15:41:13.178323030 CET	50195	445	192.168.2.4	165.109.216.2
Jan 15, 2025 15:41:13.178348064 CET	50212	445	192.168.2.4	111.199.171.2
Jan 15, 2025 15:41:13.178369999 CET	50261	445	192.168.2.4	76.71.199.2
Jan 15, 2025 15:41:13.178436995 CET	50247	445	192.168.2.4	94.240.109.1
Jan 15, 2025 15:41:13.178457022 CET	50282	445	192.168.2.4	139.184.56.1
Jan 15, 2025 15:41:13.178484917 CET	50454	445	192.168.2.4	76.16.231.1
Jan 15, 2025 15:41:13.178560019 CET	50334	445	192.168.2.4	32.41.128.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 15:40:05.834939003 CET	59645	53	192.168.2.4	1.1.1.1
Jan 15, 2025 15:40:06.155663013 CET	53	59645	1.1.1.1	192.168.2.4
Jan 15, 2025 15:40:06.790016890 CET	58341	53	192.168.2.4	1.1.1.1
Jan 15, 2025 15:40:07.118252039 CET	53	58341	1.1.1.1	192.168.2.4
Jan 15, 2025 15:40:21.550074100 CET	138	138	192.168.2.4	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 15:40:05.834939003 CET	192.168.2.4	1.1.1.1	0x18bc	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:40:06.790016890 CET	192.168.2.4	1.1.1.1	0x30b2	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 15:40:06.155663013 CET	1.1.1.1	192.168.2.4	0x18bc	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:40:07.118252039 CET	1.1.1.1	192.168.2.4	0x30b2	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 15:40:07.118252039 CET	1.1.1.1	192.168.2.4	0x30b2	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	103.224.212.215	80	3164	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:40:06.166840076 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 15:40:06.783262968 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 14:40:06 GMT server: Apache set-cookie: __tad=1736952006.1100515; expires=Sat, 13-Jan-2035 14:40:06 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0612-9098-d266b9c3156a content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	199.59.243.228	80	3164	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:40:07.126353979 CET	169	OUT	GET /?subid1=20250116-0140-0612-9098-d266b9c3156a HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 15:40:07.600953102 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 14:40:06 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 04768f6c-8dd5-4f0d-884c-dbdf53d063e1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Nqk8KcWpdBoifOuGjXGbpqQ+LkZe4B54Erty17zpYFPmUvncuJQUwgoZuXVelTo9oq312vZtNX74W8JPgiVSxQ== set-cookie: parking_session=04768f6c-8dd5-4f0d-884c-dbdf53d063e1; expires=Wed, 15 Jan 2025 14:55:07 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4e 71 6b 38 4b 63 57 70 64 42 6f 69 66 4f 75 47 6a 58 47 62 70 71 51 2b 4c 6b 5a 65 34 42 35 34 45 72 74 79 31 37 7a 70 59 46 50 6d 55 76 6e 63 75 4a 51 55 77 67 6f 5a 75 58 56 65 6c 54 6f 39 6f 71 33 31 32 76 5a 74 4e 58 37 34 57 38 4a 50 67 69 56 53 78 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Nqk8KcWpdBoifOuGjXGbpqQ+LkZe4B54Erty17zpYFPmUvncuJQUwgoZuXVelTo9oq312vZtNX74W8JPgiVSxQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 15:40:07.600977898 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDQ3NjhmNmMtOGRkNS00ZjBkLTg4NGMtZGJkZjUzZDA2M2UxIiwicGFnZV90aW1lIjoxNzM2OTUyMDA3LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	103.224.212.215	80	2104	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:40:07.962021112 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 15:40:08.564173937 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 14:40:08 GMT server: Apache set-cookie: __tad=1736952008.3381355; expires=Sat, 13-Jan-2035 14:40:08 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-08a2-bd71-14f1e6207580 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	199.59.243.228	80	2104	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:40:08.587573051 CET	169	OUT	GET /?subid1=20250116-0140-08a2-bd71-14f1e6207580 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 15:40:09.060187101 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 14:40:08 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 4d08e4f5-eea1-494d-97b0-b49f09567c6a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ntlGgthpIWyWGP/tojemTbiAqhN8C5+L/hW3M+MrvQiv1V+e3PsT44DjQysChUmWX0gIATNIMsY9/tWaywDw3w== set-cookie: parking_session=4d08e4f5-eea1-494d-97b0-b49f09567c6a; expires=Wed, 15 Jan 2025 14:55:09 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 6c 47 67 74 68 70 49 57 79 57 47 50 2f 74 6f 6a 65 6d 54 62 69 41 71 68 4e 38 43 35 2b 4c 2f 68 57 33 4d 2b 4d 72 76 51 69 76 31 56 2b 65 33 50 73 54 34 34 44 6a 51 79 73 43 68 55 6d 57 58 30 67 49 41 54 4e 49 4d 73 59 39 2f 74 57 61 79 77 44 77 33 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ntlGgthpIWyWGP/tojemTbiAqhN8C5+L/hW3M+MrvQiv1V+e3PsT44DjQysChUmWX0gIATNIMsY9/tWaywDw3w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 15:40:09.060208082 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGQwOGU0ZjUtZWVhMS00OTRkLTk3YjAtYjQ5ZjA5NTY3YzZhIiwicGFnZV90aW1lIjoxNzM2OTUyMDA5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	103.224.212.215	80	6264	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:40:08.700165987 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736952006.1100515
Jan 15, 2025 15:40:09.316423893 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 14:40:09 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0140-0955-b54b-361d8820c336 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	199.59.243.228	80	6264	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:40:09.325578928 CET	231	OUT	GET /?subid1=20250116-0140-0955-b54b-361d8820c336 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=04768f6c-8dd5-4f0d-884c-dbdf53d063e1
Jan 15, 2025 15:40:09.790345907 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 14:40:08 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 76133d54-1000-4f11-951e-e3a4e5b148e9 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JP8OuIA9xpHiNswGnuhaFf2yfASBTTszG5K/WBT8yaUNAGNM4Yg4pWBaEIZroRqSWILNVLwG41zydp9dCxFh0g== set-cookie: parking_session=04768f6c-8dd5-4f0d-884c-dbdf53d063e1; expires=Wed, 15 Jan 2025 14:55:09 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 50 38 4f 75 49 41 39 78 70 48 69 4e 73 77 47 6e 75 68 61 46 66 32 79 66 41 53 42 54 54 73 7a 47 35 4b 2f 57 42 54 38 79 61 55 4e 41 47 4e 4d 34 59 67 34 70 57 42 61 45 49 5a 72 6f 52 71 53 57 49 4c 4e 56 4c 77 47 34 31 7a 79 64 70 39 64 43 78 46 68 30 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JP8OuIA9xpHiNswGnuhaFf2yfASBTTszG5K/WBT8yaUNAGNM4Yg4pWBaEIZroRqSWILNVLwG41zydp9dCxFh0g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 15:40:09.790370941 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDQ3NjhmNmMtOGRkNS00ZjBkLTg4NGMtZGJkZjUzZDA2M2UxIiwicGFnZV90aW1lIjoxNzM2OTUyMDA5LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	09:40:04
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll"
Imagebase:	0xbb0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:40:04
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:40:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:40:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mLm1d1GV4R.dll,PlayGame
Imagebase:	0x5a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:40:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",#1
Imagebase:	0x5a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:40:04
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E916117384C8250971067D18F2734F8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1727467369.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.1727598802.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:40:06
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E916117384C8250971067D18F2734F8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1747881309.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1748144714.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2397201765.000000000226E000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2396969286.0000000001D54000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:40:07
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\mLm1d1GV4R.dll",PlayGame
Imagebase:	0x5a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:40:07
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	E916117384C8250971067D18F2734F8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1769263752.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1756428845.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.1769427655.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1756535765.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
kernel32.dll, xrefs: 00407CEA
CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
/i, xrefs: 00407E8D

Memory Dump Source

Source File: 00000005.00000002.1762085011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1762058548.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762108569.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762201548.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.1762085011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1762058548.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762108569.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762201548.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.1762085011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1762058548.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762108569.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762201548.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000005.00000002.1762085011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1762058548.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762108569.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762201548.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.1762085011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1762058548.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762108569.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762131330.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762201548.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1762297906.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 2104, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2396242741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396229030.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396257583.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396325576.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396339860.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2396242741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396229030.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396257583.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396325576.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396339860.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000006.00000002.2396242741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396229030.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396257583.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396325576.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396339860.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CreateProcessA, xrefs: 00407D07
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
WINDOWS, xrefs: 00407DF2, 00407E0D
/i, xrefs: 00407E8D
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F

Memory Dump Source

Source File: 00000006.00000002.2396242741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396229030.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396257583.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396325576.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396339860.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2396242741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396229030.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396257583.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396272065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396311528.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396325576.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396339860.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396424447.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mLm1d1GV4R.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvr.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
mLm1d1GV4R.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON