Edit tour

Windows Analysis Report
zTrDsX9gXl.dll

Overview

General Information

Sample name:	zTrDsX9gXl.dll renamed because original name is a hash value
Original sample name:	f26e3b32f48b724f1fc9473823af68a9.dll
Analysis ID:	1592025
MD5:	f26e3b32f48b724f1fc9473823af68a9
SHA1:	43cfbc4f8a8cd1ea6416c4b1e3d163fd8d8bb1b1
SHA256:	6f84d2b8719b64bc655d9f8b94b9c72500f3bd088838c223b4678d690cec2a49
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7276 cmdline: loaddll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7328 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7352 cmdline: rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7376 cmdline: C:\WINDOWS\mssecsvr.exe MD5: DE6BCE2486E432A4B5B864474C28115A)

rundll32.exe (PID: 7336 cmdline: rundll32.exe C:\Users\user\Desktop\zTrDsX9gXl.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7516 cmdline: C:\WINDOWS\mssecsvr.exe MD5: DE6BCE2486E432A4B5B864474C28115A)

mssecsvr.exe (PID: 7464 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: DE6BCE2486E432A4B5B864474C28115A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
zTrDsX9gXl.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
zTrDsX9gXl.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
zTrDsX9gXl.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1749587403.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1724997765.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1703910829.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1732224157.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 7376	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7464	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7516	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1ea6084.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.23d78c8.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1ed8128.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.1ed8128.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.240996c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.240996c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1ed8128.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1ed8128.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.1ed8128.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.23e6948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.23e6948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.23e6948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.23e6948.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.240996c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.240996c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.240996c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1eb5104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1eb5104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1eb5104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.1eb5104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.23d78c8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.23d78c8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.23d78c8.6.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.23e28e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.23e28e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.23e28e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1ea6084.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1ea6084.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x294de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x284bb0:$x3: tasksche.exe 0x294dc0:$x3: tasksche.exe 0x294d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x294e14:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x284b88:$x8: C:\%s\qeriuwjhrf 0x294de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x24f254:$s1: C:\%s\%s 0x26ab7c:$s1: C:\%s\%s 0x284b9c:$s1: C:\%s\%s 0x294d14:$s3: cmd.exe /c "%s" 0x2c7268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x281ed0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x26f2c5:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
6.2.mssecsvr.exe.1ea6084.4.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.1ea6084.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x294dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x294de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1eb10a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1eb10a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1eb10a4.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.23e6948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.23e6948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.23e6948.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1eb5104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1eb5104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
6.2.mssecsvr.exe.1eb5104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 88 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:02:04.003257+0100	2803304	3	Unknown Traffic	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-15T17:02:05.681757+0100	2803304	3	Unknown Traffic	192.168.2.4	49732	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:02:02.999711+0100	2830018	1	A Network Trojan was detected	192.168.2.4	60540	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zTrDsX9gXl.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a38	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf79	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a734	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a7	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf7910	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/H	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 91%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: zTrDsX9gXl.dll	ReversingLabs: Detection: 92%
Source: zTrDsX9gXl.dll	Virustotal: Detection: 93%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: zTrDsX9gXl.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: zTrDsX9gXl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.4:60540 -> 1.1.1.1:53

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0302-0391-8145-be822d640a38 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0302-05ad-88d9-dedd0360a734 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736956923.6688295
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0302-0618-947e-8a073fcf7910 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=db512008-65d2-448a-b6b1-ea5977f3e3e8

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.220
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.220
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.220
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.220
Source: unknown	TCP traffic detected without corresponding DNS query: 23.77.54.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.226
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.226
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.226
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.226
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.39.73.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.108
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.108
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.108
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.108
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 145.201.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.154
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.154
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.154
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.154
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.228.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.185.47.189
Source: unknown	TCP traffic detected without corresponding DNS query: 115.185.47.189
Source: unknown	TCP traffic detected without corresponding DNS query: 115.185.47.189
Source: unknown	TCP traffic detected without corresponding DNS query: 115.185.47.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.185.47.189
Source: unknown	TCP traffic detected without corresponding DNS query: 115.185.47.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0302-0391-8145-be822d640a38 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0302-05ad-88d9-dedd0360a734 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736956923.6688295
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0302-0618-947e-8a073fcf7910 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=db512008-65d2-448a-b6b1-ea5977f3e3e8

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.1738611393.0000000000C29000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1738611393.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a
Source: mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1732478639.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a7
Source: mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1744892737.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf79
Source: mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/H
Source: mssecsvr.exe, 00000005.00000002.1738611393.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.sK
Source: zTrDsX9gXl.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000005.00000002.1738611393.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1738611393.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1750269582.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1744892737.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000008.00000002.1750269582.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/gB
Source: mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/sX
Source: mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/z
Source: mssecsvr.exe, 00000006.00000002.2374813983.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comckx

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: zTrDsX9gXl.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvr.exe.1ed8128.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.240996c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.23d78c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.23e28e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1eb10a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.23e6948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1eb5104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1749587403.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1724997765.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1703910829.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1732224157.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: zTrDsX9gXl.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: zTrDsX9gXl.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1ea6084.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.23d78c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1ed8128.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1ed8128.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.240996c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.240996c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1ed8128.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1ed8128.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.240996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.240996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.23d78c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.23d78c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.23e28e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.23e28e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1eb10a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1eb10a4.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.23e6948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.23e6948.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1eb5104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1eb5104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: Joe Sandbox View	Dropped File: C:\WINDOWS\qeriuwjhrf (copy) 96D7B2D83E30FED4EEC2CBF2E1FBE426DAD705F918AE8ABBDA0DB4B4AFB82865
Source: Joe Sandbox View	Dropped File: C:\Windows\tasksche.exe 96D7B2D83E30FED4EEC2CBF2E1FBE426DAD705F918AE8ABBDA0DB4B4AFB82865

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: zTrDsX9gXl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: zTrDsX9gXl.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: zTrDsX9gXl.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1ea6084.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.23d78c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1ed8128.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1ed8128.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.240996c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.240996c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1ed8128.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1ed8128.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.240996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.240996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.1eb5104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.23d78c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.23d78c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.23e28e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.23e28e8.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.1ea6084.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1eb10a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1eb10a4.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.23e6948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.23e6948.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.1eb5104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.1eb5104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.5.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: zTrDsX9gXl.dll, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03

Source: zTrDsX9gXl.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zTrDsX9gXl.dll,PlayGame

Source: zTrDsX9gXl.dll	ReversingLabs: Detection: 92%
Source: zTrDsX9gXl.dll	Virustotal: Detection: 93%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zTrDsX9gXl.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zTrDsX9gXl.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: zTrDsX9gXl.dll

Static file information: File size 5267459 > 1048576

Source: zTrDsX9gXl.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.5.dr

Static PE information: section name: .text entropy: 7.663042758896975

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 7580	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7580	Thread sleep time: -192000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7584	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7584	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7580	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000008.00000002.1750269582.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: mssecsvr.exe, 00000005.00000002.1738611393.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1738611393.0000000000C29000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2375316425.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2375316425.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1750269582.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000005.00000002.1738611393.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy@E
Source: mssecsvr.exe, 00000008.00000002.1750269582.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SeE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zTrDsX9gXl.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
zTrDsX9gXl.dll	93%	Virustotal		Browse
zTrDsX9gXl.dll	100%	Avira	TR/Ransom.Gen
zTrDsX9gXl.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	91%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	91%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a38	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf79	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a734	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a7	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf7910	100%	Avira URL Cloud	malware
http://ww25.sK	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/H	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comckx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a734	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf7910	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a38	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf79	mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1744892737.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a7	mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1732478639.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	zTrDsX9gXl.dll	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/sX	mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.sK	mssecsvr.exe, 00000005.00000002.1738611393.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comckx	mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/gB	mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/z	mssecsvr.exe, 00000008.00000002.1750269582.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/H	mssecsvr.exe, 00000006.00000002.2375316425.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000006.00000002.2374813983.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	mssecsvr.exe, 00000008.00000002.1750269582.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a	mssecsvr.exe, 00000005.00000002.1738611393.0000000000C29000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1738611393.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
40.235.31.1	unknown	United States	4249	LILLY-ASUS	false
211.237.66.129	unknown	Korea Republic of	10171	SKTELINK-ASSKTelinkKR	false
23.77.54.1	unknown	United States	16625	AKAMAI-ASUS	false
23.77.54.2	unknown	United States	16625	AKAMAI-ASUS	false
24.5.32.1	unknown	United States	7922	COMCAST-7922US	false
169.137.120.210	unknown	United States	13433	COXNETUS	false
38.46.21.1	unknown	United States	174	COGENT-174US	false
38.46.21.2	unknown	United States	174	COGENT-174US	false
40.24.94.201	unknown	United States	4249	LILLY-ASUS	false
130.53.73.1	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
145.201.0.108	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
40.24.94.1	unknown	United States	4249	LILLY-ASUS	false
130.53.73.5	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
156.251.148.1	unknown	Seychelles	40065	CNSERVERSUS	false
103.135.215.1	unknown	Indonesia	138658	ICOMMUNICATION-AS-APICommunicationBD	false
81.189.195.1	unknown	Austria	8437	UTA-ASAT	false
116.97.98.1	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
66.28.85.150	unknown	United States	14454	PERIMETER-ESECURITYUS	false
184.47.24.152	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
81.189.195.27	unknown	Austria	8437	UTA-ASAT	false
119.163.139.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
91.148.191.1	unknown	Bulgaria	205085	BG-NETPLUSONEBG	false
91.148.191.2	unknown	Bulgaria	205085	BG-NETPLUSONEBG	false
108.104.123.1	unknown	United States	10507	SPCSUS	false
73.4.193.160	unknown	United States	7922	COMCAST-7922US	false
47.77.228.1	unknown	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
47.77.228.2	unknown	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592025
Start date and time:	2025-01-15 17:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zTrDsX9gXl.dll renamed because original name is a hash value
Original Sample Name:	f26e3b32f48b724f1fc9473823af68a9.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 217.20.57.19, 2.23.77.188, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:02:04	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:02:39	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	bot.x86.elf	Get hash	malicious	Unknown	Browse	23.39.183.209
	i486.elf	Get hash	malicious	Mirai	Browse	23.63.45.89
	xd.arm.elf	Get hash	malicious	Mirai	Browse	23.52.165.231
	L#U043e#U0430d#U0435r.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	arm4.elf	Get hash	malicious	Mirai	Browse	23.3.198.114
	https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61f	Get hash	malicious	Unknown	Browse	23.201.255.95
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	23.54.60.112
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	23.47.27.74
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.102.49.254
SKTELINK-ASSKTelinkKR	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	210.111.155.232
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	211.39.58.94
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	211.39.58.91
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	211.43.242.52
	sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	210.219.114.11
	fbot.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	211.39.24.246
	arm5.elf	Get hash	malicious	Unknown	Browse	211.39.24.245
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	211.39.24.210
	wGkT1MeX0l.elf	Get hash	malicious	Mirai	Browse	210.219.114.35
	ls0PnGaKLG.elf	Get hash	malicious	Unknown	Browse	210.219.114.12
LILLY-ASUS	bot.spc.elf	Get hash	malicious	Unknown	Browse	43.78.95.198
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	40.41.147.231
	bot.mips.elf	Get hash	malicious	Unknown	Browse	43.147.50.223
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	43.56.116.219
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	43.11.77.234
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	40.49.125.48
	arm5.elf	Get hash	malicious	Mirai	Browse	42.130.115.41
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	43.205.251.217
	sh4.elf	Get hash	malicious	Mirai	Browse	40.38.217.210
	xd.spc.elf	Get hash	malicious	Mirai	Browse	43.210.115.189

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\WINDOWS\qeriuwjhrf (copy)	ViNIRfmQmE.dll	Get hash	malicious	Wannacry	Browse
	k999IY68oT.dll	Get hash	malicious	Wannacry	Browse
	UBpReASuEC.dll	Get hash	malicious	Wannacry	Browse
	2yQ8hmXyz0.dll	Get hash	malicious	Wannacry	Browse
	4Maoj78D1f.dll	Get hash	malicious	Wannacry	Browse
	9UxtlcUBmY.dll	Get hash	malicious	Wannacry	Browse
	41ECj4EgTY.dll	Get hash	malicious	Wannacry	Browse
C:\Windows\tasksche.exe	ViNIRfmQmE.dll	Get hash	malicious	Wannacry	Browse
	k999IY68oT.dll	Get hash	malicious	Wannacry	Browse
	UBpReASuEC.dll	Get hash	malicious	Wannacry	Browse
	2yQ8hmXyz0.dll	Get hash	malicious	Wannacry	Browse
	4Maoj78D1f.dll	Get hash	malicious	Wannacry	Browse
	9UxtlcUBmY.dll	Get hash	malicious	Wannacry	Browse
	41ECj4EgTY.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.993464768178038
Encrypted:	true
SSDEEP:	49152:SEMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:ZPoBhz1aRxcSUDk36SAEdhvm
MD5:	A0D0B20286669B4664AE1AEFFAF07A88
SHA1:	28BCAFBD85E84479B575CC1F3C5B3C39875A3A5F
SHA-256:	96D7B2D83E30FED4EEC2CBF2E1FBE426DAD705F918AE8ABBDA0DB4B4AFB82865
SHA-512:	CFF6F64549B7E2961181A041ECBFBE9C90B6B9AAB970609785FCD8A6AD69BE9915B0A6F22C3481EA4E07DC8BE3E4591FB49C551ABC22CEDA2239935ADFEC0249
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Joe Sandbox View:	Filename: ViNIRfmQmE.dll, Detection: malicious, Browse Filename: k999IY68oT.dll, Detection: malicious, Browse Filename: UBpReASuEC.dll, Detection: malicious, Browse Filename: 2yQ8hmXyz0.dll, Detection: malicious, Browse Filename: 4Maoj78D1f.dll, Detection: malicious, Browse Filename: 9UxtlcUBmY.dll, Detection: malicious, Browse Filename: 41ECj4EgTY.dll, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.993464768178038
Encrypted:	true
SSDEEP:	49152:SEMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:ZPoBhz1aRxcSUDk36SAEdhvm
MD5:	A0D0B20286669B4664AE1AEFFAF07A88
SHA1:	28BCAFBD85E84479B575CC1F3C5B3C39875A3A5F
SHA-256:	96D7B2D83E30FED4EEC2CBF2E1FBE426DAD705F918AE8ABBDA0DB4B4AFB82865
SHA-512:	CFF6F64549B7E2961181A041ECBFBE9C90B6B9AAB970609785FCD8A6AD69BE9915B0A6F22C3481EA4E07DC8BE3E4591FB49C551ABC22CEDA2239935ADFEC0249
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91%
Joe Sandbox View:	Filename: ViNIRfmQmE.dll, Detection: malicious, Browse Filename: k999IY68oT.dll, Detection: malicious, Browse Filename: UBpReASuEC.dll, Detection: malicious, Browse Filename: 2yQ8hmXyz0.dll, Detection: malicious, Browse Filename: 4Maoj78D1f.dll, Detection: malicious, Browse Filename: 9UxtlcUBmY.dll, Detection: malicious, Browse Filename: 41ECj4EgTY.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4183021947308045
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zTrDsX9gXl.dll
File size:	5'267'459 bytes
MD5:	f26e3b32f48b724f1fc9473823af68a9
SHA1:	43cfbc4f8a8cd1ea6416c4b1e3d163fd8d8bb1b1
SHA256:	6f84d2b8719b64bc655d9f8b94b9c72500f3bd088838c223b4678d690cec2a49
SHA512:	2d86677ee4954634021d43fbf56dc9bca1057434d4d7ac1f1e5ef0872c7d5cc1dc3ceeddba4c2f4429c5417117a8f25cac1615533a53ac66d3bf57089770ef40
SSDEEP:	98304:nfPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:nfPe1Cxcxk3ZAEUadzR8yc4H
TLSH:	943633D4626C62FCF1440EF444778A1AB7B73C6D66FA4E1F97C086660D43B9BABC0A41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F8234B41F3Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F8234B41F58h
cmp esi, 01h
je 00007F8234B41F37h
cmp esi, 02h
jne 00007F8234B41F54h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F8234B41F3Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F8234B41F3Eh
push edi
push esi
push ebx
call 00007F8234B41E4Ah
test eax, eax
jne 00007F8234B41F36h
xor eax, eax
jmp 00007F8234B41F80h
push edi
push esi
push ebx
call 00007F8234B41CFCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F8234B41F3Eh
test eax, eax
jne 00007F8234B41F69h
push edi
push eax
push ebx
call 00007F8234B41E26h
test esi, esi
je 00007F8234B41F37h
cmp esi, 03h
jne 00007F8234B41F58h
push edi
push esi
push ebx
call 00007F8234B41E15h
test eax, eax
jne 00007F8234B41F35h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F8234B41F43h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F8234B41F3Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	fea3fa9d6caac633e79e2e8f99aae159	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8792238235473633

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T17:02:02.999711+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.4	60540	1.1.1.1	53	UDP
2025-01-15T17:02:04.003257+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-15T17:02:05.681757+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49732	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:02:03.309783936 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:03.317243099 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:03.317323923 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:03.317462921 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:03.322267056 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:04.003189087 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:04.003206968 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:04.003257036 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:04.003267050 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:04.003307104 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:04.008481979 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:04.013205051 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:04.351438046 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:04.356384993 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:04.359363079 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:04.367757082 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:04.372931004 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:04.879179001 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:04.879224062 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:04.879288912 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:04.879390955 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:04.883730888 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:04.883765936 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:05.058307886 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.063229084 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:05.063324928 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.063698053 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.068558931 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:05.681677103 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:05.681756973 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.681838989 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:05.681888103 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.684695959 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.689495087 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:05.691370964 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:05.696352005 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:05.696436882 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:05.696553946 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:05.701381922 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:05.773909092 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.779064894 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:05.779149055 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.779393911 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:05.784188032 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:06.161392927 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:06.161468029 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.161482096 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:06.161525965 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.167591095 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.167622089 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.206001043 CET	49735	445	192.168.2.4	23.77.54.220
Jan 15, 2025 17:02:06.210994005 CET	445	49735	23.77.54.220	192.168.2.4
Jan 15, 2025 17:02:06.211097002 CET	49735	445	192.168.2.4	23.77.54.220
Jan 15, 2025 17:02:06.211690903 CET	49735	445	192.168.2.4	23.77.54.220
Jan 15, 2025 17:02:06.211949110 CET	49736	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.216857910 CET	445	49736	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:06.216923952 CET	49736	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.216999054 CET	49736	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.221116066 CET	49737	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.223628044 CET	445	49735	23.77.54.220	192.168.2.4
Jan 15, 2025 17:02:06.223644972 CET	445	49736	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:06.225949049 CET	445	49737	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:06.226012945 CET	49737	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.226059914 CET	49737	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.228916883 CET	445	49735	23.77.54.220	192.168.2.4
Jan 15, 2025 17:02:06.228981972 CET	49735	445	192.168.2.4	23.77.54.220
Jan 15, 2025 17:02:06.229291916 CET	445	49736	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:06.229346991 CET	49736	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:06.230900049 CET	445	49737	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:06.424515009 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:06.424588919 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:06.424684048 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:06.424738884 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:06.431575060 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:02:06.432813883 CET	49744	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.436530113 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:02:06.437688112 CET	80	49744	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:06.437876940 CET	49744	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.437876940 CET	49744	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.442747116 CET	80	49744	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:06.915353060 CET	80	49744	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:06.915380955 CET	80	49744	199.59.243.228	192.168.2.4
Jan 15, 2025 17:02:06.915781021 CET	49744	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.944629908 CET	49744	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:06.944629908 CET	49744	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:02:08.221873045 CET	49761	445	192.168.2.4	212.39.73.226
Jan 15, 2025 17:02:08.226970911 CET	445	49761	212.39.73.226	192.168.2.4
Jan 15, 2025 17:02:08.227094889 CET	49761	445	192.168.2.4	212.39.73.226
Jan 15, 2025 17:02:08.227278948 CET	49761	445	192.168.2.4	212.39.73.226
Jan 15, 2025 17:02:08.231695890 CET	49762	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.232621908 CET	445	49761	212.39.73.226	192.168.2.4
Jan 15, 2025 17:02:08.232688904 CET	49761	445	192.168.2.4	212.39.73.226
Jan 15, 2025 17:02:08.236552000 CET	445	49762	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:08.236637115 CET	49762	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.236669064 CET	49762	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.239717960 CET	49763	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.241631985 CET	445	49762	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:08.241707087 CET	49762	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.244571924 CET	445	49763	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:08.244647980 CET	49763	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.244712114 CET	49763	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:08.249574900 CET	445	49763	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:10.237627029 CET	49786	445	192.168.2.4	145.201.0.108
Jan 15, 2025 17:02:10.242613077 CET	445	49786	145.201.0.108	192.168.2.4
Jan 15, 2025 17:02:10.242717981 CET	49786	445	192.168.2.4	145.201.0.108
Jan 15, 2025 17:02:10.242826939 CET	49786	445	192.168.2.4	145.201.0.108
Jan 15, 2025 17:02:10.243134022 CET	49787	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.247736931 CET	445	49786	145.201.0.108	192.168.2.4
Jan 15, 2025 17:02:10.247836113 CET	49786	445	192.168.2.4	145.201.0.108
Jan 15, 2025 17:02:10.247909069 CET	445	49787	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:10.247978926 CET	49787	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.248014927 CET	49787	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.249319077 CET	49788	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.252983093 CET	445	49787	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:10.253062010 CET	49787	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.254133940 CET	445	49788	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:10.254211903 CET	49788	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.254293919 CET	49788	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:10.259130001 CET	445	49788	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:12.252373934 CET	49811	445	192.168.2.4	47.77.228.154
Jan 15, 2025 17:02:12.257395983 CET	445	49811	47.77.228.154	192.168.2.4
Jan 15, 2025 17:02:12.257478952 CET	49811	445	192.168.2.4	47.77.228.154
Jan 15, 2025 17:02:12.257502079 CET	49811	445	192.168.2.4	47.77.228.154
Jan 15, 2025 17:02:12.257693052 CET	49812	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.262537003 CET	445	49811	47.77.228.154	192.168.2.4
Jan 15, 2025 17:02:12.262577057 CET	445	49812	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:12.262603045 CET	49811	445	192.168.2.4	47.77.228.154
Jan 15, 2025 17:02:12.262659073 CET	49812	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.262720108 CET	49812	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.263843060 CET	49813	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.267612934 CET	445	49812	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:12.267803907 CET	445	49812	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:12.267864943 CET	49812	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.268663883 CET	445	49813	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:12.268723011 CET	49813	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.268771887 CET	49813	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:12.273526907 CET	445	49813	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:14.268099070 CET	49835	445	192.168.2.4	115.185.47.189
Jan 15, 2025 17:02:14.273159027 CET	445	49835	115.185.47.189	192.168.2.4
Jan 15, 2025 17:02:14.273272038 CET	49835	445	192.168.2.4	115.185.47.189
Jan 15, 2025 17:02:14.273371935 CET	49835	445	192.168.2.4	115.185.47.189
Jan 15, 2025 17:02:14.273699045 CET	49836	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.278239965 CET	445	49835	115.185.47.189	192.168.2.4
Jan 15, 2025 17:02:14.278306007 CET	49835	445	192.168.2.4	115.185.47.189
Jan 15, 2025 17:02:14.278567076 CET	445	49836	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:14.278631926 CET	49836	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.278692961 CET	49836	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.279782057 CET	49837	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.283581972 CET	445	49836	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:14.283675909 CET	445	49836	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:14.283730030 CET	49836	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.284584999 CET	445	49837	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:14.284678936 CET	49837	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.284725904 CET	49837	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:14.289520025 CET	445	49837	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:16.284941912 CET	49858	445	192.168.2.4	180.212.215.222
Jan 15, 2025 17:02:16.289882898 CET	445	49858	180.212.215.222	192.168.2.4
Jan 15, 2025 17:02:16.289978981 CET	49858	445	192.168.2.4	180.212.215.222
Jan 15, 2025 17:02:16.290038109 CET	49858	445	192.168.2.4	180.212.215.222
Jan 15, 2025 17:02:16.290447950 CET	49859	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.294981956 CET	445	49858	180.212.215.222	192.168.2.4
Jan 15, 2025 17:02:16.295038939 CET	49858	445	192.168.2.4	180.212.215.222
Jan 15, 2025 17:02:16.295279980 CET	445	49859	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:16.295345068 CET	49859	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.295459032 CET	49859	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.297009945 CET	49860	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.300343037 CET	445	49859	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:16.300401926 CET	49859	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.301783085 CET	445	49860	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:16.301856995 CET	49860	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.301929951 CET	49860	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:16.306658983 CET	445	49860	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:18.298774958 CET	49882	445	192.168.2.4	159.109.196.74
Jan 15, 2025 17:02:18.303678036 CET	445	49882	159.109.196.74	192.168.2.4
Jan 15, 2025 17:02:18.303791046 CET	49882	445	192.168.2.4	159.109.196.74
Jan 15, 2025 17:02:18.303886890 CET	49882	445	192.168.2.4	159.109.196.74
Jan 15, 2025 17:02:18.304066896 CET	49883	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.308676958 CET	445	49882	159.109.196.74	192.168.2.4
Jan 15, 2025 17:02:18.308737040 CET	49882	445	192.168.2.4	159.109.196.74
Jan 15, 2025 17:02:18.308888912 CET	445	49883	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:18.308960915 CET	49883	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.309005022 CET	49883	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.311238050 CET	49884	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.313910007 CET	445	49883	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:18.313960075 CET	49883	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.316056967 CET	445	49884	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:18.316127062 CET	49884	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.316258907 CET	49884	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:18.321044922 CET	445	49884	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:20.314517975 CET	49906	445	192.168.2.4	48.26.87.34
Jan 15, 2025 17:02:20.320480108 CET	445	49906	48.26.87.34	192.168.2.4
Jan 15, 2025 17:02:20.320574999 CET	49906	445	192.168.2.4	48.26.87.34
Jan 15, 2025 17:02:20.320652962 CET	49906	445	192.168.2.4	48.26.87.34
Jan 15, 2025 17:02:20.320790052 CET	49907	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.326313972 CET	445	49906	48.26.87.34	192.168.2.4
Jan 15, 2025 17:02:20.326402903 CET	49906	445	192.168.2.4	48.26.87.34
Jan 15, 2025 17:02:20.326486111 CET	445	49907	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:20.326560974 CET	49907	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.326606989 CET	49907	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.326942921 CET	49908	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.332349062 CET	445	49907	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:20.332433939 CET	49907	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.332576990 CET	445	49908	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:20.332654953 CET	49908	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.332726955 CET	49908	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:20.338213921 CET	445	49908	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:20.573082924 CET	80	49723	217.20.57.18	192.168.2.4
Jan 15, 2025 17:02:20.573235989 CET	49723	80	192.168.2.4	217.20.57.18
Jan 15, 2025 17:02:20.573271990 CET	49723	80	192.168.2.4	217.20.57.18
Jan 15, 2025 17:02:20.578083038 CET	80	49723	217.20.57.18	192.168.2.4
Jan 15, 2025 17:02:22.329926968 CET	49931	445	192.168.2.4	84.75.149.77
Jan 15, 2025 17:02:22.334856987 CET	445	49931	84.75.149.77	192.168.2.4
Jan 15, 2025 17:02:22.335077047 CET	49931	445	192.168.2.4	84.75.149.77
Jan 15, 2025 17:02:22.335115910 CET	49931	445	192.168.2.4	84.75.149.77
Jan 15, 2025 17:02:22.335279942 CET	49932	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.339977026 CET	445	49931	84.75.149.77	192.168.2.4
Jan 15, 2025 17:02:22.340023994 CET	445	49932	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:22.340042114 CET	49931	445	192.168.2.4	84.75.149.77
Jan 15, 2025 17:02:22.340106010 CET	49932	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.340161085 CET	49932	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.340492010 CET	49933	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.345093966 CET	445	49932	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:22.345149040 CET	49932	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.345316887 CET	445	49933	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:22.345387936 CET	49933	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.345424891 CET	49933	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:22.350188017 CET	445	49933	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:24.345596075 CET	49954	445	192.168.2.4	73.4.193.160
Jan 15, 2025 17:02:24.350542068 CET	445	49954	73.4.193.160	192.168.2.4
Jan 15, 2025 17:02:24.350682020 CET	49954	445	192.168.2.4	73.4.193.160
Jan 15, 2025 17:02:24.350717068 CET	49954	445	192.168.2.4	73.4.193.160
Jan 15, 2025 17:02:24.350922108 CET	49955	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.355608940 CET	445	49954	73.4.193.160	192.168.2.4
Jan 15, 2025 17:02:24.355704069 CET	445	49955	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:24.355717897 CET	445	49954	73.4.193.160	192.168.2.4
Jan 15, 2025 17:02:24.355756044 CET	49955	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.355778933 CET	49954	445	192.168.2.4	73.4.193.160
Jan 15, 2025 17:02:24.355916023 CET	49955	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.356174946 CET	49956	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.361001968 CET	445	49955	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:24.361020088 CET	445	49956	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:24.361056089 CET	49955	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.361093044 CET	49956	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.361150026 CET	49956	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:24.365995884 CET	445	49956	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:26.361188889 CET	49979	445	192.168.2.4	156.251.148.77
Jan 15, 2025 17:02:26.367861986 CET	445	49979	156.251.148.77	192.168.2.4
Jan 15, 2025 17:02:26.367990971 CET	49979	445	192.168.2.4	156.251.148.77
Jan 15, 2025 17:02:26.368127108 CET	49979	445	192.168.2.4	156.251.148.77
Jan 15, 2025 17:02:26.368365049 CET	49980	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.372955084 CET	445	49979	156.251.148.77	192.168.2.4
Jan 15, 2025 17:02:26.373039961 CET	49979	445	192.168.2.4	156.251.148.77
Jan 15, 2025 17:02:26.373125076 CET	445	49980	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:26.373193026 CET	49980	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.373219013 CET	49980	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.373513937 CET	49981	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.379725933 CET	445	49980	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:26.379749060 CET	445	49981	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:26.379878044 CET	49981	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.379939079 CET	49980	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.379975080 CET	49981	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:26.386040926 CET	445	49981	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:27.623459101 CET	445	49737	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:27.623724937 CET	49737	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:27.625819921 CET	49737	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:27.625891924 CET	49737	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:27.630661011 CET	445	49737	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:27.630705118 CET	445	49737	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:28.376797915 CET	50004	445	192.168.2.4	92.102.45.185
Jan 15, 2025 17:02:28.382967949 CET	445	50004	92.102.45.185	192.168.2.4
Jan 15, 2025 17:02:28.383141994 CET	50004	445	192.168.2.4	92.102.45.185
Jan 15, 2025 17:02:28.383141994 CET	50004	445	192.168.2.4	92.102.45.185
Jan 15, 2025 17:02:28.383399010 CET	50005	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.389280081 CET	445	50005	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:28.389359951 CET	50005	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.389389038 CET	50005	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.389439106 CET	445	50004	92.102.45.185	192.168.2.4
Jan 15, 2025 17:02:28.389508009 CET	50004	445	192.168.2.4	92.102.45.185
Jan 15, 2025 17:02:28.389763117 CET	50006	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.395042896 CET	445	50005	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:28.395073891 CET	445	50006	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:28.395144939 CET	50005	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.395191908 CET	50006	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.395260096 CET	50006	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:28.400101900 CET	445	50006	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:29.608747005 CET	445	49763	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:29.608896017 CET	49763	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:29.608979940 CET	49763	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:29.609086990 CET	49763	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:29.613809109 CET	445	49763	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:29.613959074 CET	445	49763	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:30.450536013 CET	50028	445	192.168.2.4	142.169.216.201
Jan 15, 2025 17:02:30.455609083 CET	445	50028	142.169.216.201	192.168.2.4
Jan 15, 2025 17:02:30.455729961 CET	50028	445	192.168.2.4	142.169.216.201
Jan 15, 2025 17:02:30.455785990 CET	50028	445	192.168.2.4	142.169.216.201
Jan 15, 2025 17:02:30.455913067 CET	50029	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.460786104 CET	445	50028	142.169.216.201	192.168.2.4
Jan 15, 2025 17:02:30.460818052 CET	445	50029	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:30.460889101 CET	50028	445	192.168.2.4	142.169.216.201
Jan 15, 2025 17:02:30.460928917 CET	50029	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.464097023 CET	50029	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.464739084 CET	50030	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.469110012 CET	445	50029	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:30.469202042 CET	50029	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.469672918 CET	445	50030	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:30.469777107 CET	50030	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.469819069 CET	50030	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:30.474759102 CET	445	50030	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:30.626575947 CET	50033	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:30.631597996 CET	445	50033	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:30.631711960 CET	50033	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:30.631761074 CET	50033	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:30.636637926 CET	445	50033	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:31.620529890 CET	445	49788	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:31.620661974 CET	49788	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:31.620866060 CET	49788	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:31.620867014 CET	49788	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:31.625653982 CET	445	49788	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:31.625668049 CET	445	49788	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:32.455132961 CET	50040	445	192.168.2.4	119.163.139.138
Jan 15, 2025 17:02:32.460346937 CET	445	50040	119.163.139.138	192.168.2.4
Jan 15, 2025 17:02:32.460556030 CET	50040	445	192.168.2.4	119.163.139.138
Jan 15, 2025 17:02:32.460597038 CET	50040	445	192.168.2.4	119.163.139.138
Jan 15, 2025 17:02:32.460732937 CET	50041	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.465694904 CET	445	50041	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:32.465778112 CET	445	50040	119.163.139.138	192.168.2.4
Jan 15, 2025 17:02:32.465790033 CET	50041	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.465836048 CET	50041	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.465852022 CET	50040	445	192.168.2.4	119.163.139.138
Jan 15, 2025 17:02:32.466234922 CET	50042	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.470799923 CET	445	50041	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:32.470877886 CET	50041	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.471008062 CET	445	50042	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:32.471088886 CET	50042	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.471116066 CET	50042	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:32.475955963 CET	445	50042	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:32.612711906 CET	50043	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:32.617717028 CET	445	50043	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:32.617870092 CET	50043	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:32.617924929 CET	50043	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:32.622710943 CET	445	50043	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:33.636171103 CET	445	49813	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:33.636584997 CET	49813	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:33.638683081 CET	49813	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:33.638816118 CET	49813	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:33.645806074 CET	445	49813	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:33.645821095 CET	445	49813	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:34.470691919 CET	50044	445	192.168.2.4	206.137.46.104
Jan 15, 2025 17:02:34.476042032 CET	445	50044	206.137.46.104	192.168.2.4
Jan 15, 2025 17:02:34.477360010 CET	50044	445	192.168.2.4	206.137.46.104
Jan 15, 2025 17:02:34.477385998 CET	50044	445	192.168.2.4	206.137.46.104
Jan 15, 2025 17:02:34.477495909 CET	50045	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.482363939 CET	445	50045	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:34.482408047 CET	445	50044	206.137.46.104	192.168.2.4
Jan 15, 2025 17:02:34.482439041 CET	50045	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.482464075 CET	50045	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.482465982 CET	50044	445	192.168.2.4	206.137.46.104
Jan 15, 2025 17:02:34.482889891 CET	50046	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.488401890 CET	445	50045	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:34.488418102 CET	445	50046	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:34.488457918 CET	50045	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.488503933 CET	50046	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.488543987 CET	50046	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:34.493649006 CET	445	50046	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:34.626782894 CET	50047	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:34.631761074 CET	445	50047	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:34.631865025 CET	50047	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:34.631937981 CET	50047	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:34.636733055 CET	445	50047	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:35.667854071 CET	445	49837	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:35.667949915 CET	49837	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:35.668040991 CET	49837	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:35.668137074 CET	49837	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:35.672873974 CET	445	49837	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:35.672934055 CET	445	49837	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:36.014820099 CET	80	49724	217.20.57.18	192.168.2.4
Jan 15, 2025 17:02:36.015074015 CET	49724	80	192.168.2.4	217.20.57.18
Jan 15, 2025 17:02:36.015074968 CET	49724	80	192.168.2.4	217.20.57.18
Jan 15, 2025 17:02:36.019963980 CET	80	49724	217.20.57.18	192.168.2.4
Jan 15, 2025 17:02:36.486197948 CET	50048	445	192.168.2.4	130.53.73.5
Jan 15, 2025 17:02:36.491175890 CET	445	50048	130.53.73.5	192.168.2.4
Jan 15, 2025 17:02:36.491270065 CET	50048	445	192.168.2.4	130.53.73.5
Jan 15, 2025 17:02:36.491302967 CET	50048	445	192.168.2.4	130.53.73.5
Jan 15, 2025 17:02:36.491415024 CET	50049	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.496189117 CET	445	50049	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:36.496244907 CET	50049	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.496247053 CET	445	50048	130.53.73.5	192.168.2.4
Jan 15, 2025 17:02:36.496269941 CET	50049	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.496295929 CET	50048	445	192.168.2.4	130.53.73.5
Jan 15, 2025 17:02:36.496551037 CET	50050	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.501216888 CET	445	50049	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:36.501267910 CET	50049	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.501302958 CET	445	50050	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:36.501352072 CET	50050	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.501391888 CET	50050	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:36.506128073 CET	445	50050	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:36.642391920 CET	50051	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:36.647327900 CET	445	50051	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:36.647423983 CET	50051	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:36.647515059 CET	50051	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:36.652275085 CET	445	50051	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:37.667471886 CET	445	49860	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:37.667576075 CET	49860	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:37.667779922 CET	49860	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:37.668335915 CET	49860	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:37.672574997 CET	445	49860	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:37.673176050 CET	445	49860	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:38.501815081 CET	50052	445	192.168.2.4	66.28.85.150
Jan 15, 2025 17:02:38.507447958 CET	445	50052	66.28.85.150	192.168.2.4
Jan 15, 2025 17:02:38.507580042 CET	50052	445	192.168.2.4	66.28.85.150
Jan 15, 2025 17:02:38.507664919 CET	50052	445	192.168.2.4	66.28.85.150
Jan 15, 2025 17:02:38.507869959 CET	50053	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.513073921 CET	445	50053	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:38.513089895 CET	445	50052	66.28.85.150	192.168.2.4
Jan 15, 2025 17:02:38.513148069 CET	50053	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.513170004 CET	50052	445	192.168.2.4	66.28.85.150
Jan 15, 2025 17:02:38.513288975 CET	50053	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.513761044 CET	50054	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.518325090 CET	445	50053	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:38.518395901 CET	50053	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.518702984 CET	445	50054	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:38.518769026 CET	50054	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.518810987 CET	50054	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:38.523622990 CET	445	50054	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:38.673662901 CET	50055	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:38.678900003 CET	445	50055	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:38.679007053 CET	50055	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:38.679085970 CET	50055	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:02:38.683923006 CET	445	50055	115.185.47.1	192.168.2.4
Jan 15, 2025 17:02:39.671211958 CET	445	49884	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:39.671506882 CET	49884	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:39.671506882 CET	49884	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:39.671506882 CET	49884	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:39.676415920 CET	445	49884	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:39.676434040 CET	445	49884	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:40.517960072 CET	50056	445	192.168.2.4	103.135.215.157
Jan 15, 2025 17:02:40.522831917 CET	445	50056	103.135.215.157	192.168.2.4
Jan 15, 2025 17:02:40.522937059 CET	50056	445	192.168.2.4	103.135.215.157
Jan 15, 2025 17:02:40.522969007 CET	50056	445	192.168.2.4	103.135.215.157
Jan 15, 2025 17:02:40.523149967 CET	50057	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.527925968 CET	445	50056	103.135.215.157	192.168.2.4
Jan 15, 2025 17:02:40.527957916 CET	445	50057	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:40.528007984 CET	50056	445	192.168.2.4	103.135.215.157
Jan 15, 2025 17:02:40.528165102 CET	50057	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.528193951 CET	50057	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.528459072 CET	50058	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.533142090 CET	445	50057	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:40.533201933 CET	50057	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.533235073 CET	445	50058	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:40.533296108 CET	50058	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.533348083 CET	50058	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:40.538099051 CET	445	50058	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:40.673437119 CET	50059	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:40.678441048 CET	445	50059	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:40.678556919 CET	50059	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:40.678596020 CET	50059	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:02:40.683439016 CET	445	50059	180.212.215.1	192.168.2.4
Jan 15, 2025 17:02:41.698772907 CET	445	49908	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:41.698857069 CET	49908	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:41.698889971 CET	49908	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:41.698934078 CET	49908	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:41.703824997 CET	445	49908	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:41.703856945 CET	445	49908	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:42.392493963 CET	50060	445	192.168.2.4	116.97.98.20
Jan 15, 2025 17:02:42.397579908 CET	445	50060	116.97.98.20	192.168.2.4
Jan 15, 2025 17:02:42.397733927 CET	50060	445	192.168.2.4	116.97.98.20
Jan 15, 2025 17:02:42.397775888 CET	50060	445	192.168.2.4	116.97.98.20
Jan 15, 2025 17:02:42.397886992 CET	50061	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.402759075 CET	445	50061	116.97.98.1	192.168.2.4
Jan 15, 2025 17:02:42.402829885 CET	50061	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.402861118 CET	50061	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.402942896 CET	445	50060	116.97.98.20	192.168.2.4
Jan 15, 2025 17:02:42.403002977 CET	50060	445	192.168.2.4	116.97.98.20
Jan 15, 2025 17:02:42.403230906 CET	50062	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.407907009 CET	445	50061	116.97.98.1	192.168.2.4
Jan 15, 2025 17:02:42.407995939 CET	50061	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.408272982 CET	445	50062	116.97.98.1	192.168.2.4
Jan 15, 2025 17:02:42.408351898 CET	50062	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.408392906 CET	50062	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:02:42.413224936 CET	445	50062	116.97.98.1	192.168.2.4
Jan 15, 2025 17:02:42.673508883 CET	50063	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:42.678904057 CET	445	50063	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:42.679052114 CET	50063	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:42.679097891 CET	50063	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:02:42.684346914 CET	445	50063	159.109.196.1	192.168.2.4
Jan 15, 2025 17:02:43.747695923 CET	445	49933	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:43.747925997 CET	49933	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:43.747925997 CET	49933	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:43.748105049 CET	49933	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:43.753524065 CET	445	49933	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:43.753556967 CET	445	49933	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:44.142333984 CET	50064	445	192.168.2.4	108.104.123.234
Jan 15, 2025 17:02:44.147392988 CET	445	50064	108.104.123.234	192.168.2.4
Jan 15, 2025 17:02:44.147502899 CET	50064	445	192.168.2.4	108.104.123.234
Jan 15, 2025 17:02:44.147557020 CET	50064	445	192.168.2.4	108.104.123.234
Jan 15, 2025 17:02:44.147819996 CET	50065	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.152704000 CET	445	50065	108.104.123.1	192.168.2.4
Jan 15, 2025 17:02:44.152734995 CET	445	50064	108.104.123.234	192.168.2.4
Jan 15, 2025 17:02:44.152775049 CET	50065	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.152806997 CET	50064	445	192.168.2.4	108.104.123.234
Jan 15, 2025 17:02:44.152972937 CET	50065	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.153414965 CET	50066	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.157918930 CET	445	50065	108.104.123.1	192.168.2.4
Jan 15, 2025 17:02:44.157978058 CET	50065	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.158272982 CET	445	50066	108.104.123.1	192.168.2.4
Jan 15, 2025 17:02:44.158345938 CET	50066	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.158390999 CET	50066	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:02:44.163230896 CET	445	50066	108.104.123.1	192.168.2.4
Jan 15, 2025 17:02:44.704694033 CET	50067	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:44.709850073 CET	445	50067	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:44.709943056 CET	50067	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:44.709979057 CET	50067	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:02:44.716109991 CET	445	50067	48.26.87.1	192.168.2.4
Jan 15, 2025 17:02:45.730736971 CET	445	49956	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:45.730838060 CET	49956	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:45.730946064 CET	49956	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:45.730946064 CET	49956	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:45.735984087 CET	445	49956	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:45.736022949 CET	445	49956	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:45.783132076 CET	50068	445	192.168.2.4	184.47.24.152
Jan 15, 2025 17:02:45.788386106 CET	445	50068	184.47.24.152	192.168.2.4
Jan 15, 2025 17:02:45.788480997 CET	50068	445	192.168.2.4	184.47.24.152
Jan 15, 2025 17:02:45.788499117 CET	50068	445	192.168.2.4	184.47.24.152
Jan 15, 2025 17:02:45.788722992 CET	50069	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.793663979 CET	445	50068	184.47.24.152	192.168.2.4
Jan 15, 2025 17:02:45.793698072 CET	445	50069	184.47.24.1	192.168.2.4
Jan 15, 2025 17:02:45.793731928 CET	50068	445	192.168.2.4	184.47.24.152
Jan 15, 2025 17:02:45.793777943 CET	50069	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.793860912 CET	50069	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.794056892 CET	50070	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.798748016 CET	445	50069	184.47.24.1	192.168.2.4
Jan 15, 2025 17:02:45.798824072 CET	50069	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.798923016 CET	445	50070	184.47.24.1	192.168.2.4
Jan 15, 2025 17:02:45.798985958 CET	50070	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.799005032 CET	50070	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:02:45.803915024 CET	445	50070	184.47.24.1	192.168.2.4
Jan 15, 2025 17:02:46.751539946 CET	50071	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:46.756808043 CET	445	50071	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:46.756903887 CET	50071	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:46.756972075 CET	50071	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:02:46.761945963 CET	445	50071	84.75.149.1	192.168.2.4
Jan 15, 2025 17:02:47.314747095 CET	50072	445	192.168.2.4	40.24.94.201
Jan 15, 2025 17:02:47.319861889 CET	445	50072	40.24.94.201	192.168.2.4
Jan 15, 2025 17:02:47.319993019 CET	50072	445	192.168.2.4	40.24.94.201
Jan 15, 2025 17:02:47.320034981 CET	50072	445	192.168.2.4	40.24.94.201
Jan 15, 2025 17:02:47.320483923 CET	50073	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.325191021 CET	445	50072	40.24.94.201	192.168.2.4
Jan 15, 2025 17:02:47.325270891 CET	50072	445	192.168.2.4	40.24.94.201
Jan 15, 2025 17:02:47.325310946 CET	445	50073	40.24.94.1	192.168.2.4
Jan 15, 2025 17:02:47.325386047 CET	50073	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.325505972 CET	50073	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.325808048 CET	50074	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.330432892 CET	445	50073	40.24.94.1	192.168.2.4
Jan 15, 2025 17:02:47.330526114 CET	50073	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.330760956 CET	445	50074	40.24.94.1	192.168.2.4
Jan 15, 2025 17:02:47.330821037 CET	50074	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.330856085 CET	50074	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:02:47.335633039 CET	445	50074	40.24.94.1	192.168.2.4
Jan 15, 2025 17:02:47.730037928 CET	445	49981	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:47.730160952 CET	49981	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:47.730253935 CET	49981	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:47.730304003 CET	49981	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:47.735071898 CET	445	49981	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:47.735173941 CET	445	49981	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:48.735888958 CET	50075	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:48.736138105 CET	50076	445	192.168.2.4	169.137.120.210
Jan 15, 2025 17:02:48.740813017 CET	445	50075	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:48.740909100 CET	50075	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:48.740923882 CET	50075	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:02:48.740931034 CET	445	50076	169.137.120.210	192.168.2.4
Jan 15, 2025 17:02:48.740981102 CET	50076	445	192.168.2.4	169.137.120.210
Jan 15, 2025 17:02:48.741003036 CET	50076	445	192.168.2.4	169.137.120.210
Jan 15, 2025 17:02:48.741101980 CET	50077	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.745666981 CET	445	50075	73.4.193.1	192.168.2.4
Jan 15, 2025 17:02:48.745830059 CET	445	50077	169.137.120.1	192.168.2.4
Jan 15, 2025 17:02:48.745892048 CET	50077	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.746028900 CET	445	50076	169.137.120.210	192.168.2.4
Jan 15, 2025 17:02:48.746052980 CET	50077	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.746073008 CET	50076	445	192.168.2.4	169.137.120.210
Jan 15, 2025 17:02:48.746318102 CET	50078	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.751734018 CET	445	50077	169.137.120.1	192.168.2.4
Jan 15, 2025 17:02:48.751745939 CET	445	50078	169.137.120.1	192.168.2.4
Jan 15, 2025 17:02:48.751785994 CET	50077	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.751817942 CET	50078	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.751868963 CET	50078	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:02:48.757508993 CET	445	50078	169.137.120.1	192.168.2.4
Jan 15, 2025 17:02:49.782547951 CET	445	50006	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:49.782721043 CET	50006	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:49.782762051 CET	50006	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:49.782815933 CET	50006	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:49.787622929 CET	445	50006	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:49.787635088 CET	445	50006	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:50.065130949 CET	50079	445	192.168.2.4	24.5.32.215
Jan 15, 2025 17:02:50.070106983 CET	445	50079	24.5.32.215	192.168.2.4
Jan 15, 2025 17:02:50.070195913 CET	50079	445	192.168.2.4	24.5.32.215
Jan 15, 2025 17:02:50.070389986 CET	50079	445	192.168.2.4	24.5.32.215
Jan 15, 2025 17:02:50.070863008 CET	50080	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.075325012 CET	445	50079	24.5.32.215	192.168.2.4
Jan 15, 2025 17:02:50.075421095 CET	50079	445	192.168.2.4	24.5.32.215
Jan 15, 2025 17:02:50.075658083 CET	445	50080	24.5.32.1	192.168.2.4
Jan 15, 2025 17:02:50.075726986 CET	50080	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.076020956 CET	50080	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.076479912 CET	50081	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.080879927 CET	445	50080	24.5.32.1	192.168.2.4
Jan 15, 2025 17:02:50.080952883 CET	50080	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.081298113 CET	445	50081	24.5.32.1	192.168.2.4
Jan 15, 2025 17:02:50.081357956 CET	50081	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.081388950 CET	50081	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:02:50.086112022 CET	445	50081	24.5.32.1	192.168.2.4
Jan 15, 2025 17:02:50.127608061 CET	445	50058	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:50.127808094 CET	50058	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:50.127808094 CET	50058	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:50.129338980 CET	50058	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:50.132754087 CET	445	50058	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:50.134121895 CET	445	50058	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:50.735932112 CET	50082	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:50.740864038 CET	445	50082	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:50.740969896 CET	50082	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:50.741103888 CET	50082	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:02:50.745831966 CET	445	50082	156.251.148.1	192.168.2.4
Jan 15, 2025 17:02:51.314304113 CET	50083	445	192.168.2.4	81.189.195.27
Jan 15, 2025 17:02:51.319423914 CET	445	50083	81.189.195.27	192.168.2.4
Jan 15, 2025 17:02:51.319562912 CET	50083	445	192.168.2.4	81.189.195.27
Jan 15, 2025 17:02:51.319607973 CET	50083	445	192.168.2.4	81.189.195.27
Jan 15, 2025 17:02:51.319713116 CET	50084	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.324603081 CET	445	50084	81.189.195.1	192.168.2.4
Jan 15, 2025 17:02:51.324673891 CET	445	50083	81.189.195.27	192.168.2.4
Jan 15, 2025 17:02:51.324683905 CET	50084	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.324704885 CET	50084	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.324733973 CET	50083	445	192.168.2.4	81.189.195.27
Jan 15, 2025 17:02:51.325124979 CET	50085	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.329605103 CET	445	50084	81.189.195.1	192.168.2.4
Jan 15, 2025 17:02:51.329659939 CET	50084	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.329900026 CET	445	50085	81.189.195.1	192.168.2.4
Jan 15, 2025 17:02:51.329957962 CET	50085	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.329992056 CET	50085	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:02:51.334795952 CET	445	50085	81.189.195.1	192.168.2.4
Jan 15, 2025 17:02:51.841854095 CET	445	50030	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:51.842004061 CET	50030	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:51.842053890 CET	50030	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:51.842108011 CET	50030	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:51.848252058 CET	445	50030	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:51.848287106 CET	445	50030	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:51.996335030 CET	445	50033	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:51.996406078 CET	50033	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:51.996447086 CET	50033	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:51.996505022 CET	50033	445	192.168.2.4	23.77.54.1
Jan 15, 2025 17:02:52.002094030 CET	445	50033	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:52.002104998 CET	445	50033	23.77.54.1	192.168.2.4
Jan 15, 2025 17:02:52.048450947 CET	50086	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.054075956 CET	445	50086	23.77.54.2	192.168.2.4
Jan 15, 2025 17:02:52.054137945 CET	50086	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.054195881 CET	50086	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.054502964 CET	50087	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.059362888 CET	445	50086	23.77.54.2	192.168.2.4
Jan 15, 2025 17:02:52.059376001 CET	445	50087	23.77.54.2	192.168.2.4
Jan 15, 2025 17:02:52.059416056 CET	50086	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.059457064 CET	50087	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.059494019 CET	50087	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:02:52.064435959 CET	445	50087	23.77.54.2	192.168.2.4
Jan 15, 2025 17:02:52.798408031 CET	50089	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:52.803306103 CET	445	50089	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:52.803396940 CET	50089	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:52.803550959 CET	50089	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:02:52.808301926 CET	445	50089	92.102.45.1	192.168.2.4
Jan 15, 2025 17:02:53.142030001 CET	50090	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:53.146939039 CET	445	50090	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:53.147002935 CET	50090	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:53.147030115 CET	50090	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:02:53.151818991 CET	445	50090	103.135.215.1	192.168.2.4
Jan 15, 2025 17:02:53.549153090 CET	50091	445	192.168.2.4	91.148.191.112
Jan 15, 2025 17:02:53.554292917 CET	445	50091	91.148.191.112	192.168.2.4
Jan 15, 2025 17:02:53.554397106 CET	50091	445	192.168.2.4	91.148.191.112
Jan 15, 2025 17:02:53.554481030 CET	50091	445	192.168.2.4	91.148.191.112
Jan 15, 2025 17:02:53.554821968 CET	50092	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.559494019 CET	445	50091	91.148.191.112	192.168.2.4
Jan 15, 2025 17:02:53.559581995 CET	50091	445	192.168.2.4	91.148.191.112
Jan 15, 2025 17:02:53.559767008 CET	445	50092	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:53.559842110 CET	50092	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.559905052 CET	50092	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.560225964 CET	50093	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.564970016 CET	445	50092	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:53.565057993 CET	50092	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.565110922 CET	445	50093	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:53.565186024 CET	50093	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.565226078 CET	50093	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:53.570070982 CET	445	50093	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:53.579576015 CET	50094	445	192.168.2.4	38.46.21.27
Jan 15, 2025 17:02:53.584491968 CET	445	50094	38.46.21.27	192.168.2.4
Jan 15, 2025 17:02:53.584687948 CET	50094	445	192.168.2.4	38.46.21.27
Jan 15, 2025 17:02:53.584789991 CET	50094	445	192.168.2.4	38.46.21.27
Jan 15, 2025 17:02:53.584952116 CET	50095	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.589658022 CET	445	50094	38.46.21.27	192.168.2.4
Jan 15, 2025 17:02:53.589725971 CET	50094	445	192.168.2.4	38.46.21.27
Jan 15, 2025 17:02:53.589824915 CET	445	50095	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:53.589899063 CET	50095	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.589934111 CET	50095	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.590285063 CET	50096	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.594852924 CET	445	50095	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:53.594916105 CET	50095	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.595098972 CET	445	50096	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:53.595154047 CET	50096	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.595191002 CET	50096	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:53.600033998 CET	445	50096	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:53.856213093 CET	445	50042	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:53.856414080 CET	50042	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:53.856453896 CET	50042	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:53.856501102 CET	50042	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:53.861745119 CET	445	50042	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:53.861757040 CET	445	50042	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:53.980937958 CET	445	50043	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:53.981017113 CET	50043	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:53.981081963 CET	50043	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:53.981154919 CET	50043	445	192.168.2.4	212.39.73.1
Jan 15, 2025 17:02:53.986610889 CET	445	50043	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:53.986624956 CET	445	50043	212.39.73.1	192.168.2.4
Jan 15, 2025 17:02:54.033256054 CET	50097	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.038392067 CET	445	50097	212.39.73.2	192.168.2.4
Jan 15, 2025 17:02:54.038516045 CET	50097	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.038561106 CET	50097	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.038937092 CET	50098	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.043605089 CET	445	50097	212.39.73.2	192.168.2.4
Jan 15, 2025 17:02:54.043863058 CET	445	50097	212.39.73.2	192.168.2.4
Jan 15, 2025 17:02:54.043894053 CET	445	50098	212.39.73.2	192.168.2.4
Jan 15, 2025 17:02:54.043924093 CET	50097	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.043957949 CET	50098	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.043987989 CET	50098	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:02:54.048801899 CET	445	50098	212.39.73.2	192.168.2.4
Jan 15, 2025 17:02:54.564223051 CET	50099	445	192.168.2.4	211.237.66.129
Jan 15, 2025 17:02:54.569354057 CET	445	50099	211.237.66.129	192.168.2.4
Jan 15, 2025 17:02:54.569463968 CET	50099	445	192.168.2.4	211.237.66.129
Jan 15, 2025 17:02:54.569528103 CET	50099	445	192.168.2.4	211.237.66.129
Jan 15, 2025 17:02:54.569749117 CET	50100	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.574592113 CET	445	50100	211.237.66.1	192.168.2.4
Jan 15, 2025 17:02:54.574625015 CET	445	50099	211.237.66.129	192.168.2.4
Jan 15, 2025 17:02:54.574685097 CET	50100	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.574771881 CET	50099	445	192.168.2.4	211.237.66.129
Jan 15, 2025 17:02:54.574773073 CET	50100	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.574934006 CET	50101	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.579787016 CET	445	50100	211.237.66.1	192.168.2.4
Jan 15, 2025 17:02:54.579799891 CET	445	50101	211.237.66.1	192.168.2.4
Jan 15, 2025 17:02:54.579854012 CET	50100	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.579879999 CET	50101	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.579910994 CET	50101	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:02:54.584712982 CET	445	50101	211.237.66.1	192.168.2.4
Jan 15, 2025 17:02:54.845531940 CET	50102	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:54.850497007 CET	445	50102	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:54.850591898 CET	50102	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:54.850636005 CET	50102	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:02:54.855432987 CET	445	50102	142.169.216.1	192.168.2.4
Jan 15, 2025 17:02:55.235404968 CET	445	50096	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:55.235671043 CET	50096	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:55.235763073 CET	50096	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:55.235820055 CET	50096	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:55.240595102 CET	445	50096	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:55.240612984 CET	445	50096	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:55.279552937 CET	445	50093	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:55.279887915 CET	50093	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:55.279959917 CET	50093	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:55.280028105 CET	50093	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:55.284703016 CET	445	50093	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:55.284745932 CET	445	50093	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:55.503226042 CET	50103	445	192.168.2.4	40.235.31.113
Jan 15, 2025 17:02:55.508147001 CET	445	50103	40.235.31.113	192.168.2.4
Jan 15, 2025 17:02:55.508219957 CET	50103	445	192.168.2.4	40.235.31.113
Jan 15, 2025 17:02:55.508253098 CET	50103	445	192.168.2.4	40.235.31.113
Jan 15, 2025 17:02:55.508404016 CET	50104	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.513170958 CET	445	50104	40.235.31.1	192.168.2.4
Jan 15, 2025 17:02:55.513183117 CET	445	50103	40.235.31.113	192.168.2.4
Jan 15, 2025 17:02:55.513246059 CET	50104	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.513263941 CET	50103	445	192.168.2.4	40.235.31.113
Jan 15, 2025 17:02:55.513355017 CET	50104	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.513641119 CET	50105	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.518296957 CET	445	50104	40.235.31.1	192.168.2.4
Jan 15, 2025 17:02:55.518373966 CET	50104	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.518439054 CET	445	50105	40.235.31.1	192.168.2.4
Jan 15, 2025 17:02:55.518501043 CET	50105	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.518543959 CET	50105	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:02:55.523248911 CET	445	50105	40.235.31.1	192.168.2.4
Jan 15, 2025 17:02:55.858881950 CET	445	50046	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:55.859144926 CET	50046	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:55.859240055 CET	50046	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:55.859240055 CET	50046	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:55.864082098 CET	445	50046	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:55.864094019 CET	445	50046	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:56.015635967 CET	445	50047	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:56.015821934 CET	50047	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:56.015933037 CET	50047	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:56.016002893 CET	50047	445	192.168.2.4	145.201.0.1
Jan 15, 2025 17:02:56.020982981 CET	445	50047	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:56.021013021 CET	445	50047	145.201.0.1	192.168.2.4
Jan 15, 2025 17:02:56.079706907 CET	50106	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.084655046 CET	445	50106	145.201.0.2	192.168.2.4
Jan 15, 2025 17:02:56.084718943 CET	50106	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.084780931 CET	50106	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.085124016 CET	50107	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.089965105 CET	445	50107	145.201.0.2	192.168.2.4
Jan 15, 2025 17:02:56.090058088 CET	50107	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.090058088 CET	50107	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.094926119 CET	445	50107	145.201.0.2	192.168.2.4
Jan 15, 2025 17:02:56.095622063 CET	445	50106	145.201.0.2	192.168.2.4
Jan 15, 2025 17:02:56.098134995 CET	445	50106	145.201.0.2	192.168.2.4
Jan 15, 2025 17:02:56.098191977 CET	50106	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:02:56.392687082 CET	50108	445	192.168.2.4	4.147.179.228
Jan 15, 2025 17:02:56.397742987 CET	445	50108	4.147.179.228	192.168.2.4
Jan 15, 2025 17:02:56.397878885 CET	50108	445	192.168.2.4	4.147.179.228
Jan 15, 2025 17:02:56.397959948 CET	50108	445	192.168.2.4	4.147.179.228
Jan 15, 2025 17:02:56.398200035 CET	50109	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.402965069 CET	445	50108	4.147.179.228	192.168.2.4
Jan 15, 2025 17:02:56.403053999 CET	50108	445	192.168.2.4	4.147.179.228
Jan 15, 2025 17:02:56.403111935 CET	445	50109	4.147.179.1	192.168.2.4
Jan 15, 2025 17:02:56.403187990 CET	50109	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.403254032 CET	50109	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.403525114 CET	50110	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.408231020 CET	445	50109	4.147.179.1	192.168.2.4
Jan 15, 2025 17:02:56.408309937 CET	50109	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.408446074 CET	445	50110	4.147.179.1	192.168.2.4
Jan 15, 2025 17:02:56.408509970 CET	50110	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.408591032 CET	50110	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:02:56.413389921 CET	445	50110	4.147.179.1	192.168.2.4
Jan 15, 2025 17:02:56.860939026 CET	50111	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:56.865897894 CET	445	50111	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:56.866009951 CET	50111	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:56.866091013 CET	50111	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:02:56.870908022 CET	445	50111	119.163.139.1	192.168.2.4
Jan 15, 2025 17:02:57.220653057 CET	50114	445	192.168.2.4	178.206.229.68
Jan 15, 2025 17:02:57.225586891 CET	445	50114	178.206.229.68	192.168.2.4
Jan 15, 2025 17:02:57.225673914 CET	50114	445	192.168.2.4	178.206.229.68
Jan 15, 2025 17:02:57.225720882 CET	50114	445	192.168.2.4	178.206.229.68
Jan 15, 2025 17:02:57.225907087 CET	50115	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.230817080 CET	445	50115	178.206.229.1	192.168.2.4
Jan 15, 2025 17:02:57.230832100 CET	445	50114	178.206.229.68	192.168.2.4
Jan 15, 2025 17:02:57.230921984 CET	50114	445	192.168.2.4	178.206.229.68
Jan 15, 2025 17:02:57.230930090 CET	50115	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.231050014 CET	50115	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.231522083 CET	50116	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.236002922 CET	445	50115	178.206.229.1	192.168.2.4
Jan 15, 2025 17:02:57.236062050 CET	50115	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.236296892 CET	445	50116	178.206.229.1	192.168.2.4
Jan 15, 2025 17:02:57.236377954 CET	50116	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.236426115 CET	50116	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:02:57.241211891 CET	445	50116	178.206.229.1	192.168.2.4
Jan 15, 2025 17:02:57.892591000 CET	445	50050	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:57.897386074 CET	50050	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:57.897466898 CET	50050	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:57.897524118 CET	50050	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:02:57.902842045 CET	445	50050	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:57.903139114 CET	445	50050	130.53.73.1	192.168.2.4
Jan 15, 2025 17:02:57.986104012 CET	50117	445	192.168.2.4	26.97.17.35
Jan 15, 2025 17:02:57.990895033 CET	445	50117	26.97.17.35	192.168.2.4
Jan 15, 2025 17:02:57.991013050 CET	50117	445	192.168.2.4	26.97.17.35
Jan 15, 2025 17:02:57.991132021 CET	50117	445	192.168.2.4	26.97.17.35
Jan 15, 2025 17:02:57.991221905 CET	50118	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:57.995991945 CET	445	50117	26.97.17.35	192.168.2.4
Jan 15, 2025 17:02:57.996004105 CET	445	50118	26.97.17.1	192.168.2.4
Jan 15, 2025 17:02:57.996046066 CET	50117	445	192.168.2.4	26.97.17.35
Jan 15, 2025 17:02:57.996083975 CET	50118	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:57.996190071 CET	50118	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:57.996588945 CET	50119	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:58.001386881 CET	445	50119	26.97.17.1	192.168.2.4
Jan 15, 2025 17:02:58.001440048 CET	445	50118	26.97.17.1	192.168.2.4
Jan 15, 2025 17:02:58.001442909 CET	50119	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:58.001483917 CET	50118	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:58.002495050 CET	50119	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:02:58.007272005 CET	445	50119	26.97.17.1	192.168.2.4
Jan 15, 2025 17:02:58.011436939 CET	445	50051	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:58.011503935 CET	50051	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:58.011558056 CET	50051	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:58.011673927 CET	50051	445	192.168.2.4	47.77.228.1
Jan 15, 2025 17:02:58.016325951 CET	445	50051	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:58.016412973 CET	445	50051	47.77.228.1	192.168.2.4
Jan 15, 2025 17:02:58.064682961 CET	50120	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.069655895 CET	445	50120	47.77.228.2	192.168.2.4
Jan 15, 2025 17:02:58.070642948 CET	50120	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.070723057 CET	50120	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.071161985 CET	50121	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.075588942 CET	445	50120	47.77.228.2	192.168.2.4
Jan 15, 2025 17:02:58.075615883 CET	445	50120	47.77.228.2	192.168.2.4
Jan 15, 2025 17:02:58.075681925 CET	50120	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.076016903 CET	445	50121	47.77.228.2	192.168.2.4
Jan 15, 2025 17:02:58.076107025 CET	50121	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.076160908 CET	50121	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:02:58.080984116 CET	445	50121	47.77.228.2	192.168.2.4
Jan 15, 2025 17:02:58.251516104 CET	50127	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:58.256525040 CET	445	50127	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:58.256619930 CET	50127	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:58.256654024 CET	50127	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:58.261511087 CET	445	50127	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:58.282701969 CET	50128	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:58.287600994 CET	445	50128	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:58.287683964 CET	50128	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:58.287753105 CET	50128	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:58.292525053 CET	445	50128	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:58.860874891 CET	50130	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:58.866319895 CET	445	50130	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:58.866457939 CET	50130	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:58.866532087 CET	50130	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:02:58.871942043 CET	445	50130	206.137.46.1	192.168.2.4
Jan 15, 2025 17:02:59.872840881 CET	445	50127	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:59.872999907 CET	50127	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:59.873056889 CET	50127	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:59.873056889 CET	50127	445	192.168.2.4	38.46.21.1
Jan 15, 2025 17:02:59.877893925 CET	445	50127	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:59.877926111 CET	445	50127	38.46.21.1	192.168.2.4
Jan 15, 2025 17:02:59.921849966 CET	445	50054	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:59.922029018 CET	50054	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:59.922084093 CET	50054	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:59.922106028 CET	50054	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:02:59.926956892 CET	445	50054	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:59.926968098 CET	445	50054	66.28.85.1	192.168.2.4
Jan 15, 2025 17:02:59.938972950 CET	50143	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.943861008 CET	445	50143	38.46.21.2	192.168.2.4
Jan 15, 2025 17:02:59.943944931 CET	50143	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.943955898 CET	50143	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.944211960 CET	50144	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.949063063 CET	445	50143	38.46.21.2	192.168.2.4
Jan 15, 2025 17:02:59.949121952 CET	50143	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.949145079 CET	445	50144	38.46.21.2	192.168.2.4
Jan 15, 2025 17:02:59.949222088 CET	50144	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.949260950 CET	50144	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:02:59.954075098 CET	445	50144	38.46.21.2	192.168.2.4
Jan 15, 2025 17:02:59.999340057 CET	445	50128	91.148.191.1	192.168.2.4
Jan 15, 2025 17:02:59.999533892 CET	50128	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:59.999577999 CET	50128	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:02:59.999627113 CET	50128	445	192.168.2.4	91.148.191.1
Jan 15, 2025 17:03:00.004455090 CET	445	50128	91.148.191.1	192.168.2.4
Jan 15, 2025 17:03:00.004484892 CET	445	50128	91.148.191.1	192.168.2.4
Jan 15, 2025 17:03:00.064038038 CET	50146	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.234586000 CET	445	50055	115.185.47.1	192.168.2.4
Jan 15, 2025 17:03:00.234853983 CET	50055	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:03:00.235054016 CET	50055	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:03:00.235124111 CET	50055	445	192.168.2.4	115.185.47.1
Jan 15, 2025 17:03:00.235265970 CET	445	50146	91.148.191.2	192.168.2.4
Jan 15, 2025 17:03:00.235347986 CET	50146	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.235443115 CET	50146	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.235893965 CET	50147	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.240207911 CET	445	50055	115.185.47.1	192.168.2.4
Jan 15, 2025 17:03:00.240216970 CET	445	50055	115.185.47.1	192.168.2.4
Jan 15, 2025 17:03:00.240415096 CET	445	50146	91.148.191.2	192.168.2.4
Jan 15, 2025 17:03:00.240469933 CET	50146	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.240626097 CET	445	50147	91.148.191.2	192.168.2.4
Jan 15, 2025 17:03:00.240686893 CET	50147	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.240705013 CET	50147	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:00.245449066 CET	445	50147	91.148.191.2	192.168.2.4
Jan 15, 2025 17:03:00.298525095 CET	50148	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.303388119 CET	445	50148	115.185.47.2	192.168.2.4
Jan 15, 2025 17:03:00.303457975 CET	50148	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.303488016 CET	50148	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.303889036 CET	50149	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.308497906 CET	445	50148	115.185.47.2	192.168.2.4
Jan 15, 2025 17:03:00.308561087 CET	50148	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.308845997 CET	445	50149	115.185.47.2	192.168.2.4
Jan 15, 2025 17:03:00.308901072 CET	50149	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.308938980 CET	50149	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:00.313718081 CET	445	50149	115.185.47.2	192.168.2.4
Jan 15, 2025 17:03:00.907728910 CET	50156	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:03:00.912763119 CET	445	50156	130.53.73.1	192.168.2.4
Jan 15, 2025 17:03:00.912830114 CET	50156	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:03:00.912853003 CET	50156	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:03:00.917694092 CET	445	50156	130.53.73.1	192.168.2.4
Jan 15, 2025 17:03:02.063915014 CET	445	50059	180.212.215.1	192.168.2.4
Jan 15, 2025 17:03:02.063997030 CET	50059	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:03:02.064052105 CET	50059	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:03:02.064106941 CET	50059	445	192.168.2.4	180.212.215.1
Jan 15, 2025 17:03:02.071424007 CET	445	50059	180.212.215.1	192.168.2.4
Jan 15, 2025 17:03:02.071459055 CET	445	50059	180.212.215.1	192.168.2.4
Jan 15, 2025 17:03:02.126652956 CET	50173	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.131643057 CET	445	50173	180.212.215.2	192.168.2.4
Jan 15, 2025 17:03:02.131748915 CET	50173	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.131784916 CET	50173	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.132132053 CET	50174	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.136804104 CET	445	50173	180.212.215.2	192.168.2.4
Jan 15, 2025 17:03:02.136879921 CET	50173	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.137036085 CET	445	50174	180.212.215.2	192.168.2.4
Jan 15, 2025 17:03:02.137111902 CET	50174	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.137155056 CET	50174	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:02.142004967 CET	445	50174	180.212.215.2	192.168.2.4
Jan 15, 2025 17:03:02.923453093 CET	50187	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:03:02.928302050 CET	445	50187	66.28.85.1	192.168.2.4
Jan 15, 2025 17:03:02.928859949 CET	50187	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:03:02.928900003 CET	50187	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:03:02.934235096 CET	445	50187	66.28.85.1	192.168.2.4
Jan 15, 2025 17:03:03.777040958 CET	445	50062	116.97.98.1	192.168.2.4
Jan 15, 2025 17:03:03.777117968 CET	50062	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:03.777163982 CET	50062	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:03.777206898 CET	50062	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:03.781985044 CET	445	50062	116.97.98.1	192.168.2.4
Jan 15, 2025 17:03:03.781996012 CET	445	50062	116.97.98.1	192.168.2.4
Jan 15, 2025 17:03:04.027029991 CET	445	50063	159.109.196.1	192.168.2.4
Jan 15, 2025 17:03:04.027107954 CET	50063	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:03:04.027168036 CET	50063	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:03:04.027205944 CET	50063	445	192.168.2.4	159.109.196.1
Jan 15, 2025 17:03:04.031924009 CET	445	50063	159.109.196.1	192.168.2.4
Jan 15, 2025 17:03:04.031935930 CET	445	50063	159.109.196.1	192.168.2.4
Jan 15, 2025 17:03:04.079668045 CET	50205	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.084446907 CET	445	50205	159.109.196.2	192.168.2.4
Jan 15, 2025 17:03:04.084664106 CET	50205	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.084664106 CET	50205	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.084966898 CET	50206	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.089601994 CET	445	50205	159.109.196.2	192.168.2.4
Jan 15, 2025 17:03:04.089660883 CET	50205	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.089781046 CET	445	50206	159.109.196.2	192.168.2.4
Jan 15, 2025 17:03:04.089859009 CET	50206	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.089890003 CET	50206	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:04.094645023 CET	445	50206	159.109.196.2	192.168.2.4
Jan 15, 2025 17:03:05.527380943 CET	445	50066	108.104.123.1	192.168.2.4
Jan 15, 2025 17:03:05.527446032 CET	50066	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:03:05.527498007 CET	50066	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:03:05.527523041 CET	50066	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:03:05.532318115 CET	445	50066	108.104.123.1	192.168.2.4
Jan 15, 2025 17:03:05.532329082 CET	445	50066	108.104.123.1	192.168.2.4
Jan 15, 2025 17:03:06.075469017 CET	445	50067	48.26.87.1	192.168.2.4
Jan 15, 2025 17:03:06.075546026 CET	50067	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:03:06.075603962 CET	50067	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:03:06.075634956 CET	50067	445	192.168.2.4	48.26.87.1
Jan 15, 2025 17:03:06.081099033 CET	445	50067	48.26.87.1	192.168.2.4
Jan 15, 2025 17:03:06.081109047 CET	445	50067	48.26.87.1	192.168.2.4
Jan 15, 2025 17:03:06.126681089 CET	50251	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.133388996 CET	445	50251	48.26.87.2	192.168.2.4
Jan 15, 2025 17:03:06.133490086 CET	50251	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.133553028 CET	50251	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.134074926 CET	50252	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.138809919 CET	445	50251	48.26.87.2	192.168.2.4
Jan 15, 2025 17:03:06.138869047 CET	50251	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.139378071 CET	445	50252	48.26.87.2	192.168.2.4
Jan 15, 2025 17:03:06.139446974 CET	50252	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.139482021 CET	50252	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:06.144268036 CET	445	50252	48.26.87.2	192.168.2.4
Jan 15, 2025 17:03:06.784003973 CET	50267	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:06.788940907 CET	445	50267	116.97.98.1	192.168.2.4
Jan 15, 2025 17:03:06.789025068 CET	50267	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:06.789057970 CET	50267	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:06.793850899 CET	445	50267	116.97.98.1	192.168.2.4
Jan 15, 2025 17:03:07.152244091 CET	445	50070	184.47.24.1	192.168.2.4
Jan 15, 2025 17:03:07.152337074 CET	50070	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:03:07.153578043 CET	50070	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:03:07.153613091 CET	50070	445	192.168.2.4	184.47.24.1
Jan 15, 2025 17:03:07.158385992 CET	445	50070	184.47.24.1	192.168.2.4
Jan 15, 2025 17:03:07.158397913 CET	445	50070	184.47.24.1	192.168.2.4
Jan 15, 2025 17:03:08.124758959 CET	445	50071	84.75.149.1	192.168.2.4
Jan 15, 2025 17:03:08.124845982 CET	50071	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:03:08.124892950 CET	50071	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:03:08.124905109 CET	50071	445	192.168.2.4	84.75.149.1
Jan 15, 2025 17:03:08.129699945 CET	445	50071	84.75.149.1	192.168.2.4
Jan 15, 2025 17:03:08.129712105 CET	445	50071	84.75.149.1	192.168.2.4
Jan 15, 2025 17:03:08.189027071 CET	50318	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.193808079 CET	445	50318	84.75.149.2	192.168.2.4
Jan 15, 2025 17:03:08.193903923 CET	50318	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.193923950 CET	50318	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.194339991 CET	50319	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.199100018 CET	445	50319	84.75.149.2	192.168.2.4
Jan 15, 2025 17:03:08.199168921 CET	50319	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.199186087 CET	50319	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.199568033 CET	445	50318	84.75.149.2	192.168.2.4
Jan 15, 2025 17:03:08.203958988 CET	445	50319	84.75.149.2	192.168.2.4
Jan 15, 2025 17:03:08.222729921 CET	445	50318	84.75.149.2	192.168.2.4
Jan 15, 2025 17:03:08.222795010 CET	50318	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:08.532632113 CET	50340	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:03:08.537442923 CET	445	50340	108.104.123.1	192.168.2.4
Jan 15, 2025 17:03:08.537504911 CET	50340	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:03:08.537693024 CET	50340	445	192.168.2.4	108.104.123.1
Jan 15, 2025 17:03:08.542432070 CET	445	50340	108.104.123.1	192.168.2.4
Jan 15, 2025 17:03:08.699609995 CET	445	50074	40.24.94.1	192.168.2.4
Jan 15, 2025 17:03:08.699666023 CET	50074	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:03:08.699697971 CET	50074	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:03:08.699736118 CET	50074	445	192.168.2.4	40.24.94.1
Jan 15, 2025 17:03:08.704473972 CET	445	50074	40.24.94.1	192.168.2.4
Jan 15, 2025 17:03:08.704483986 CET	445	50074	40.24.94.1	192.168.2.4
Jan 15, 2025 17:03:10.105848074 CET	445	50075	73.4.193.1	192.168.2.4
Jan 15, 2025 17:03:10.105922937 CET	50075	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:03:10.138411999 CET	445	50078	169.137.120.1	192.168.2.4
Jan 15, 2025 17:03:10.138485909 CET	50078	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:03:10.800944090 CET	50111	445	192.168.2.4	119.163.139.1
Jan 15, 2025 17:03:10.800977945 CET	50116	445	192.168.2.4	178.206.229.1
Jan 15, 2025 17:03:10.801027060 CET	50174	445	192.168.2.4	180.212.215.2
Jan 15, 2025 17:03:10.801143885 CET	50147	445	192.168.2.4	91.148.191.2
Jan 15, 2025 17:03:10.801166058 CET	50082	445	192.168.2.4	156.251.148.1
Jan 15, 2025 17:03:10.801193953 CET	50206	445	192.168.2.4	159.109.196.2
Jan 15, 2025 17:03:10.801238060 CET	50075	445	192.168.2.4	73.4.193.1
Jan 15, 2025 17:03:10.801255941 CET	50087	445	192.168.2.4	23.77.54.2
Jan 15, 2025 17:03:10.801296949 CET	50252	445	192.168.2.4	48.26.87.2
Jan 15, 2025 17:03:10.801327944 CET	50078	445	192.168.2.4	169.137.120.1
Jan 15, 2025 17:03:10.801357031 CET	50081	445	192.168.2.4	24.5.32.1
Jan 15, 2025 17:03:10.801386118 CET	50085	445	192.168.2.4	81.189.195.1
Jan 15, 2025 17:03:10.801413059 CET	50089	445	192.168.2.4	92.102.45.1
Jan 15, 2025 17:03:10.801434994 CET	50090	445	192.168.2.4	103.135.215.1
Jan 15, 2025 17:03:10.801522017 CET	50098	445	192.168.2.4	212.39.73.2
Jan 15, 2025 17:03:10.801546097 CET	50101	445	192.168.2.4	211.237.66.1
Jan 15, 2025 17:03:10.801574945 CET	50102	445	192.168.2.4	142.169.216.1
Jan 15, 2025 17:03:10.801599979 CET	50105	445	192.168.2.4	40.235.31.1
Jan 15, 2025 17:03:10.801630020 CET	50107	445	192.168.2.4	145.201.0.2
Jan 15, 2025 17:03:10.801652908 CET	50110	445	192.168.2.4	4.147.179.1
Jan 15, 2025 17:03:10.801682949 CET	50119	445	192.168.2.4	26.97.17.1
Jan 15, 2025 17:03:10.801737070 CET	50121	445	192.168.2.4	47.77.228.2
Jan 15, 2025 17:03:10.801770926 CET	50144	445	192.168.2.4	38.46.21.2
Jan 15, 2025 17:03:10.801788092 CET	50130	445	192.168.2.4	206.137.46.1
Jan 15, 2025 17:03:10.801817894 CET	50156	445	192.168.2.4	130.53.73.1
Jan 15, 2025 17:03:10.801847935 CET	50149	445	192.168.2.4	115.185.47.2
Jan 15, 2025 17:03:10.801870108 CET	50187	445	192.168.2.4	66.28.85.1
Jan 15, 2025 17:03:10.801968098 CET	50267	445	192.168.2.4	116.97.98.1
Jan 15, 2025 17:03:10.802104950 CET	50319	445	192.168.2.4	84.75.149.2
Jan 15, 2025 17:03:10.802139044 CET	50340	445	192.168.2.4	108.104.123.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:02:02.999711037 CET	60540	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:02:03.304775000 CET	53	60540	1.1.1.1	192.168.2.4
Jan 15, 2025 17:02:04.009777069 CET	61666	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:02:04.340010881 CET	53	61666	1.1.1.1	192.168.2.4
Jan 15, 2025 17:02:21.041610003 CET	138	138	192.168.2.4	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 17:02:02.999711037 CET	192.168.2.4	1.1.1.1	0xdda2	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:02:04.009777069 CET	192.168.2.4	1.1.1.1	0xa1fe	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 17:02:03.304775000 CET	1.1.1.1	192.168.2.4	0xdda2	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:02:04.340010881 CET	1.1.1.1	192.168.2.4	0xa1fe	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 17:02:04.340010881 CET	1.1.1.1	192.168.2.4	0xa1fe	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	103.224.212.215	80	7376	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:02:03.317462921 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:02:04.003189087 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:02:03 GMT server: Apache set-cookie: __tad=1736956923.6688295; expires=Sat, 13-Jan-2035 16:02:03 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0391-8145-be822d640a38 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	199.59.243.228	80	7376	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:02:04.367757082 CET	169	OUT	GET /?subid1=20250116-0302-0391-8145-be822d640a38 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:02:04.879179001 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:02:04 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: db512008-65d2-448a-b6b1-ea5977f3e3e8 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_m+G01hv4g270HW1cvqigQC0PJkCQ8wWe9mFK8fdnQESpW4+gWFs4OunVP/iBqooJrt75DY4tlwUVQpwNMpVCnQ== set-cookie: parking_session=db512008-65d2-448a-b6b1-ea5977f3e3e8; expires=Wed, 15 Jan 2025 16:17:04 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 2b 47 30 31 68 76 34 67 32 37 30 48 57 31 63 76 71 69 67 51 43 30 50 4a 6b 43 51 38 77 57 65 39 6d 46 4b 38 66 64 6e 51 45 53 70 57 34 2b 67 57 46 73 34 4f 75 6e 56 50 2f 69 42 71 6f 6f 4a 72 74 37 35 44 59 34 74 6c 77 55 56 51 70 77 4e 4d 70 56 43 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_m+G01hv4g270HW1cvqigQC0PJkCQ8wWe9mFK8fdnQESpW4+gWFs4OunVP/iBqooJrt75DY4tlwUVQpwNMpVCnQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:02:04.879224062 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGI1MTIwMDgtNjVkMi00NDhhLWI2YjEtZWE1OTc3ZjNlM2U4IiwicGFnZV90aW1lIjoxNzM2OTU2OTI0LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	103.224.212.215	80	7464	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:02:05.063698053 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:02:05.681677103 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:02:05 GMT server: Apache set-cookie: __tad=1736956925.4360378; expires=Sat, 13-Jan-2035 16:02:05 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-05ad-88d9-dedd0360a734 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	199.59.243.228	80	7464	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:02:05.696553946 CET	169	OUT	GET /?subid1=20250116-0302-05ad-88d9-dedd0360a734 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:02:06.161392927 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:02:05 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: e06efaa0-e5b7-4ec3-9e3e-f3a63bc2df7b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oUH218JeXL5r3knxuwexUNbwZW8eSJy0WZLsY83QiVlVHQ3M74mlZ7pp83LHMEuHfgy3ROn9kVvsPCoVr4jQfg== set-cookie: parking_session=e06efaa0-e5b7-4ec3-9e3e-f3a63bc2df7b; expires=Wed, 15 Jan 2025 16:17:06 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6f 55 48 32 31 38 4a 65 58 4c 35 72 33 6b 6e 78 75 77 65 78 55 4e 62 77 5a 57 38 65 53 4a 79 30 57 5a 4c 73 59 38 33 51 69 56 6c 56 48 51 33 4d 37 34 6d 6c 5a 37 70 70 38 33 4c 48 4d 45 75 48 66 67 79 33 52 4f 6e 39 6b 56 76 73 50 43 6f 56 72 34 6a 51 66 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oUH218JeXL5r3knxuwexUNbwZW8eSJy0WZLsY83QiVlVHQ3M74mlZ7pp83LHMEuHfgy3ROn9kVvsPCoVr4jQfg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:02:06.161482096 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTA2ZWZhYTAtZTViNy00ZWMzLTllM2UtZjNhNjNiYzJkZjdiIiwicGFnZV90aW1lIjoxNzM2OTU2OTI2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	103.224.212.215	80	7516	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:02:05.779393911 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736956923.6688295
Jan 15, 2025 17:02:06.424515009 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:02:06 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0302-0618-947e-8a073fcf7910 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	199.59.243.228	80	7516	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:02:06.437876940 CET	231	OUT	GET /?subid1=20250116-0302-0618-947e-8a073fcf7910 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=db512008-65d2-448a-b6b1-ea5977f3e3e8
Jan 15, 2025 17:02:06.915353060 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:02:06 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 29fd841e-6f86-4fca-bfde-97483011a99a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e70aCBZ6UEc1MwS/Ahfh9HCk3Nzkuq2F5YqKS8h3Cm6eWZkZb/KFXAA1k5zYZUPbTRrdPzJCcznt4yYu8wxBVQ== set-cookie: parking_session=db512008-65d2-448a-b6b1-ea5977f3e3e8; expires=Wed, 15 Jan 2025 16:17:06 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 37 30 61 43 42 5a 36 55 45 63 31 4d 77 53 2f 41 68 66 68 39 48 43 6b 33 4e 7a 6b 75 71 32 46 35 59 71 4b 53 38 68 33 43 6d 36 65 57 5a 6b 5a 62 2f 4b 46 58 41 41 31 6b 35 7a 59 5a 55 50 62 54 52 72 64 50 7a 4a 43 63 7a 6e 74 34 79 59 75 38 77 78 42 56 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e70aCBZ6UEc1MwS/Ahfh9HCk3Nzkuq2F5YqKS8h3Cm6eWZkZb/KFXAA1k5zYZUPbTRrdPzJCcznt4yYu8wxBVQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 17:02:06.915380955 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGI1MTIwMDgtNjVkMi00NDhhLWI2YjEtZWE1OTc3ZjNlM2U4IiwicGFnZV90aW1lIjoxNzM2OTU2OTI2LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	11:02:01
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll"
Imagebase:	0x990000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:02:01
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:02:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:02:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\zTrDsX9gXl.dll,PlayGame
Imagebase:	0xe20000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:02:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",#1
Imagebase:	0xe20000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:02:01
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	DE6BCE2486E432A4B5B864474C28115A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1703910829.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.1704036895.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:02:03
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	DE6BCE2486E432A4B5B864474C28115A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1724997765.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2376217679.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1725332071.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2375884712.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:02:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\zTrDsX9gXl.dll",PlayGame
Imagebase:	0xe20000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:02:04
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	DE6BCE2486E432A4B5B864474C28115A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1749587403.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1732224157.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1732331074.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.1749794760.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12

Memory Dump Source

Source File: 00000005.00000002.1738084295.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1738066618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738105541.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738173991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.1738084295.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1738066618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738105541.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738173991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.1738084295.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1738066618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738105541.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738173991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000005.00000002.1738084295.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1738066618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738105541.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738173991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.1738084295.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1738066618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738105541.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738124272.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738173991.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1738258920.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7464, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2374870345.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2374857346.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374884524.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374945737.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374959580.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2374870345.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2374857346.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374884524.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374945737.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374959580.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000006.00000002.2374870345.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2374857346.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374884524.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374945737.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374959580.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
/i, xrefs: 00407E8D
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000006.00000002.2374870345.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2374857346.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374884524.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374945737.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374959580.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2374870345.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2374857346.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374884524.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374897480.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374932468.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374945737.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2374959580.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2375049249.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zTrDsX9gXl.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
zTrDsX9gXl.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON