Edit tour

Windows Analysis Report
q4e7rZQEkL.dll

Overview

General Information

Sample name:	q4e7rZQEkL.dll renamed because original name is a hash value
Original sample name:	7e68310ee0953263920001de94841567.dll
Analysis ID:	1592043
MD5:	7e68310ee0953263920001de94841567
SHA1:	b71441520e636ca9ccea84376fb42d0264c4d617
SHA256:	1589160661b4ca1f6c9177214bd282fd724efadefe940730efa2a6dde9e0a00e
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6636 cmdline: loaddll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6804 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6880 cmdline: rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6832 cmdline: rundll32.exe C:\Users\user\Desktop\q4e7rZQEkL.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6952 cmdline: C:\WINDOWS\mssecsvr.exe MD5: EDF4881B12065F814C90F9DC71BE9B62)

rundll32.exe (PID: 3684 cmdline: rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 5244 cmdline: C:\WINDOWS\mssecsvr.exe MD5: EDF4881B12065F814C90F9DC71BE9B62)

mssecsvr.exe (PID: 7128 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: EDF4881B12065F814C90F9DC71BE9B62)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
q4e7rZQEkL.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
q4e7rZQEkL.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
q4e7rZQEkL.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1766760488.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1725170395.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.1725354645.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1725354645.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1747794261.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1766902808.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1766902808.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1753881608.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2397891299.0000000002272000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2397891299.0000000002272000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1747920345.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1747920345.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1754163167.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1754163167.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2397614773.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2397614773.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 6952	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7128	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 5244	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.mssecsvr.exe.1d44084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.229596c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.229596c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.229596c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.229596c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.1d76128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d76128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.1d76128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d76128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.1d53104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d53104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.1d53104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.1d53104.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.22638c8.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1d44084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d44084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.1d44084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.2272948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.2272948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.2272948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.2272948.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.22638c8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.22638c8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.22638c8.6.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.229596c.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.229596c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.229596c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.229596c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.1d76128.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d76128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.1d76128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d76128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvr.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvr.exe.226e8e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.226e8e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.226e8e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d53104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d53104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5079d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.1d53104.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.1d4f0a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.1d4f0a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.1d4f0a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.2272948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.2272948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvr.exe.2272948.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 117 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:39:10.442708+0100	2803304	3	Unknown Traffic	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-15T17:39:12.306476+0100	2803304	3	Unknown Traffic	192.168.2.4	49732	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:39:09.509359+0100	2830018	1	A Network Trojan was detected	192.168.2.4	63260	1.1.1.1	53	UDP

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/1@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03

Source: q4e7rZQEkL.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\q4e7rZQEkL.dll,PlayGame

Source: q4e7rZQEkL.dll	Virustotal: Detection: 90%
Source: q4e7rZQEkL.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\q4e7rZQEkL.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\q4e7rZQEkL.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: q4e7rZQEkL.dll

Static file information: File size 5267459 > 1048576

Source: q4e7rZQEkL.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe TID: 2416	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2416	Thread sleep time: -182000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3612	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3612	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2416	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: mssecsvr.exe, 00000008.00000002.1767669227.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000C26000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1760599617.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1767669227.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1767669227.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: mssecsvr.exe, 00000006.00000003.1760599617.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	11 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
q4e7rZQEkL.dll	90%	Virustotal		Browse
q4e7rZQEkL.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
q4e7rZQEkL.dll	100%	Avira	TR/Ransom.Gen
q4e7rZQEkL.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283ae8	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef804	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111ddf5	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef8	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111dd	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283a	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283ae8	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef804	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111ddf5	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/o	mssecsvr.exe, 00000008.00000002.1767669227.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/j	mssecsvr.exe, 00000008.00000002.1767669227.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	q4e7rZQEkL.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283a	mssecsvr.exe, 00000008.00000002.1767669227.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/d	mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000006.00000002.2396694620.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w	mssecsvr.exe, 00000008.00000002.1767669227.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/4	mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comD	mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111dd	mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1762491581.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef8	mssecsvr.exe, 00000006.00000003.1760599617.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1760599617.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
175.138.214.218	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
188.158.166.1	unknown	Iran (ISLAMIC Republic Of)	39501	NGSASIR	false
25.8.63.166	unknown	United Kingdom	7922	COMCAST-7922US	false
54.76.228.176	unknown	United States	16509	AMAZON-02US	false
214.105.233.1	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
61.126.105.30	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
148.190.179.1	unknown	United States	42652	DELUNETDE	false
148.190.179.3	unknown	United States	42652	DELUNETDE	false
148.190.179.2	unknown	United States	42652	DELUNETDE	false
93.83.4.1	unknown	Austria	8447	TELEKOM-ATA1TelekomAustriaAGAT	false
41.209.109.1	unknown	Sudan	15706	SudatelSD	false
52.105.25.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
165.36.191.176	unknown	United States	37053	RSAWEB-ASZA	false
97.219.176.1	unknown	United States	6167	CELLCO-PARTUS	false
24.81.53.1	unknown	Canada	6327	SHAWCA	false
214.105.233.222	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
47.235.125.2	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
47.235.125.1	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
92.29.141.21	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
24.81.53.215	unknown	Canada	6327	SHAWCA	false
32.240.226.1	unknown	United States	2686	ATGS-MMD-ASUS	false
206.193.176.1	unknown	United States	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
40.55.118.162	unknown	United States	4249	LILLY-ASUS	false
161.183.110.1	unknown	United States	10695	WAL-MARTUS	false
97.219.176.139	unknown	United States	6167	CELLCO-PARTUS	false
61.126.105.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592043
Start date and time:	2025-01-15 17:38:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	q4e7rZQEkL.dll renamed because original name is a hash value
Original Sample Name:	7e68310ee0953263920001de94841567.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/1@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.23.77.188, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:39:11	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:39:46	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	firstontario.docx	Get hash	malicious	Unknown	Browse	54.69.238.133
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	54.176.115.71
	bot.x86.elf	Get hash	malicious	Unknown	Browse	34.214.77.3
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	44.232.80.77
	bot.mips.elf	Get hash	malicious	Unknown	Browse	52.77.51.103
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	54.200.242.19
	bot.arm.elf	Get hash	malicious	Unknown	Browse	18.237.164.164
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	52.60.154.184
	arm5.elf	Get hash	malicious	Mirai	Browse	108.148.111.227
	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (2).zip	Get hash	malicious	Unknown	Browse	44.242.27.200
NGSASIR	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	188.159.29.159
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	188.159.29.184
	debug.elf	Get hash	malicious	Mirai	Browse	188.159.83.247
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	188.158.73.18
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	188.159.83.243
	mpsl.elf	Get hash	malicious	Mirai	Browse	188.159.83.240
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	89.165.62.180
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	188.158.171.101
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	188.159.83.254
	arm6.elf	Get hash	malicious	Unknown	Browse	188.159.83.231
COMCAST-7922US	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	96.217.134.1
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	73.4.193.160
	bot.x86.elf	Get hash	malicious	Unknown	Browse	73.238.166.144
	bot.spc.elf	Get hash	malicious	Unknown	Browse	73.81.79.182
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	25.43.128.193
	bot.mips.elf	Get hash	malicious	Unknown	Browse	25.152.125.12
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	67.168.47.59
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	98.63.246.100
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	76.129.159.98
	bot.arm.elf	Get hash	malicious	Unknown	Browse	76.18.177.107
TMNET-AS-APTMNetInternetServiceProviderMY	arm5.elf	Get hash	malicious	Mirai	Browse	175.140.232.18
	xd.arm.elf	Get hash	malicious	Mirai	Browse	60.53.161.147
	spc.elf	Get hash	malicious	Mirai	Browse	60.54.15.5
	ppc.elf	Get hash	malicious	Mirai	Browse	175.140.44.177
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	1.32.83.1
	ppc.elf	Get hash	malicious	Unknown	Browse	115.132.43.30
	m68k.elf	Get hash	malicious	Unknown	Browse	1.9.41.161
	res.sh4.elf	Get hash	malicious	Unknown	Browse	175.137.50.102
	res.x86.elf	Get hash	malicious	Unknown	Browse	210.195.145.51
	3.elf	Get hash	malicious	Unknown	Browse	115.133.136.236

Process:	C:\Windows\mssecsvr.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4629497641186
Encrypted:	false
SSDEEP:	6144:8IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbn:BXD94+WlLZMM6YFHg+n
MD5:	E8EA45A95CAA2CC50752A9D533EC4738
SHA1:	4F02859175532C11FFA9366A706021002101054E
SHA-256:	E68EB96DA13C02DBB9E5DC54E3910DFD50943199E72ECA1ABFADC593F4CA0F03
SHA-512:	388B7980FB7699BD906E9BBC32596E32671EFDA78A0BEF150D6C8CA5D2E9BADBCBDF93CFF7994FC5D021ECBA11FED205939C818947A35831F61EEE0AFA9188AD
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.I..lg..............................................................................................................................................................................................................................................................................................................................................T..5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.794461463359933
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	q4e7rZQEkL.dll
File size:	5'267'459 bytes
MD5:	7e68310ee0953263920001de94841567
SHA1:	b71441520e636ca9ccea84376fb42d0264c4d617
SHA256:	1589160661b4ca1f6c9177214bd282fd724efadefe940730efa2a6dde9e0a00e
SHA512:	3b8d2a1c38817204a11be05fb198b552d0a972555c635e2146bdd176255b14d4c403fa38eac161f4b03abcd1002119772a8b95786a2b0f28f6e4b32ded34f24a
SSDEEP:	24576:MbLguVQhfdmMSirYbcMNgef0QeQjGR012JCouYCQ0bzDkHfhD2xk:MnFQqMSPbcBVQeji86zw2xk
TLSH:	0C36CE46B394C669C02982798963C7E6A7B3BC455F32930B939C7B7F2E337806E15B11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FF6506DFE9Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FF6506DFEB8h
cmp esi, 01h
je 00007FF6506DFE97h
cmp esi, 02h
jne 00007FF6506DFEB4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FF6506DFE9Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FF6506DFE9Eh
push edi
push esi
push ebx
call 00007FF6506DFDAAh
test eax, eax
jne 00007FF6506DFE96h
xor eax, eax
jmp 00007FF6506DFEE0h
push edi
push esi
push ebx
call 00007FF6506DFC5Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FF6506DFE9Eh
test eax, eax
jne 00007FF6506DFEC9h
push edi
push eax
push ebx
call 00007FF6506DFD86h
test esi, esi
je 00007FF6506DFE97h
cmp esi, 03h
jne 00007FF6506DFEB8h
push edi
push esi
push ebx
call 00007FF6506DFD75h
test eax, eax
jne 00007FF6506DFE95h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FF6506DFEA3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FF6506DFE9Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	67cf1b93d63d0336e1ea5fcb5eb5db7a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8100900650024414

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T17:39:09.509359+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.4	63260	1.1.1.1	53	UDP
2025-01-15T17:39:10.442708+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49730	103.224.212.215	80	TCP
2025-01-15T17:39:12.306476+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49732	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:39:09.826550007 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:09.831492901 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:09.831569910 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:09.831712008 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:09.836491108 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:09.948146105 CET	49675	443	192.168.2.4	173.222.162.32
Jan 15, 2025 17:39:10.442640066 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:10.442708015 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:10.442856073 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:10.442914963 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:10.447253942 CET	49730	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:10.452075958 CET	80	49730	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:11.002141953 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.007296085 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:11.007394075 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.010627031 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.015469074 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:11.495743990 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:11.495795965 CET	80	49731	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:11.495845079 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.495887995 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.503052950 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.503089905 CET	49731	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:11.675165892 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:11.680324078 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:11.680424929 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:11.680569887 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:11.685446978 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.306335926 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.306386948 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.306476116 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.309724092 CET	49732	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.311461926 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.314810991 CET	80	49732	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.316551924 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:12.318926096 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.318978071 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.319102049 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.324009895 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.324038982 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:12.324183941 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.324337959 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.329294920 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.802174091 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:12.802228928 CET	80	49733	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:12.802268028 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.802335978 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.809156895 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.809220076 CET	49733	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.834068060 CET	49735	445	192.168.2.4	29.177.137.195
Jan 15, 2025 17:39:12.839060068 CET	445	49735	29.177.137.195	192.168.2.4
Jan 15, 2025 17:39:12.839410067 CET	49735	445	192.168.2.4	29.177.137.195
Jan 15, 2025 17:39:12.840035915 CET	49735	445	192.168.2.4	29.177.137.195
Jan 15, 2025 17:39:12.840354919 CET	49736	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.845000982 CET	445	49735	29.177.137.195	192.168.2.4
Jan 15, 2025 17:39:12.845067024 CET	49735	445	192.168.2.4	29.177.137.195
Jan 15, 2025 17:39:12.845233917 CET	445	49736	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:12.845297098 CET	49736	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.845405102 CET	49736	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.850323915 CET	445	49736	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:12.850373983 CET	49736	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.870320082 CET	49737	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.875257969 CET	445	49737	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:12.891504049 CET	49737	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.891814947 CET	49737	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:12.896687031 CET	445	49737	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:12.943775892 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.943902969 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.943986893 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.945971966 CET	49734	80	192.168.2.4	103.224.212.215
Jan 15, 2025 17:39:12.946897984 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.950860977 CET	80	49734	103.224.212.215	192.168.2.4
Jan 15, 2025 17:39:12.952692986 CET	80	49741	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:12.952759027 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.952877998 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:12.957675934 CET	80	49741	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:13.428018093 CET	80	49741	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:13.428070068 CET	80	49741	199.59.243.228	192.168.2.4
Jan 15, 2025 17:39:13.428103924 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:13.428150892 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:13.434755087 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:13.434772968 CET	49741	80	192.168.2.4	199.59.243.228
Jan 15, 2025 17:39:14.840290070 CET	49761	445	192.168.2.4	115.22.22.52
Jan 15, 2025 17:39:14.845532894 CET	445	49761	115.22.22.52	192.168.2.4
Jan 15, 2025 17:39:14.845628023 CET	49761	445	192.168.2.4	115.22.22.52
Jan 15, 2025 17:39:14.845686913 CET	49761	445	192.168.2.4	115.22.22.52
Jan 15, 2025 17:39:14.846513987 CET	49762	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.850703001 CET	445	49761	115.22.22.52	192.168.2.4
Jan 15, 2025 17:39:14.850769997 CET	49761	445	192.168.2.4	115.22.22.52
Jan 15, 2025 17:39:14.851423025 CET	445	49762	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:14.851492882 CET	49762	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.851556063 CET	49762	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.852912903 CET	49763	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.856571913 CET	445	49762	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:14.856642008 CET	49762	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.857821941 CET	445	49763	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:14.857902050 CET	49763	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.857944965 CET	49763	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:14.862787962 CET	445	49763	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:16.855618954 CET	49786	445	192.168.2.4	76.56.126.70
Jan 15, 2025 17:39:16.860965014 CET	445	49786	76.56.126.70	192.168.2.4
Jan 15, 2025 17:39:16.861064911 CET	49786	445	192.168.2.4	76.56.126.70
Jan 15, 2025 17:39:16.861120939 CET	49786	445	192.168.2.4	76.56.126.70
Jan 15, 2025 17:39:16.861346006 CET	49787	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.866204023 CET	445	49787	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:16.866262913 CET	445	49786	76.56.126.70	192.168.2.4
Jan 15, 2025 17:39:16.866314888 CET	49787	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.866342068 CET	49787	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.866342068 CET	49786	445	192.168.2.4	76.56.126.70
Jan 15, 2025 17:39:16.868247032 CET	49788	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.871380091 CET	445	49787	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:16.871464968 CET	49787	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.873143911 CET	445	49788	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:16.873203993 CET	49788	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.873265028 CET	49788	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:16.878061056 CET	445	49788	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:18.871581078 CET	49811	445	192.168.2.4	165.36.191.176
Jan 15, 2025 17:39:18.876421928 CET	445	49811	165.36.191.176	192.168.2.4
Jan 15, 2025 17:39:18.880508900 CET	49811	445	192.168.2.4	165.36.191.176
Jan 15, 2025 17:39:18.880639076 CET	49811	445	192.168.2.4	165.36.191.176
Jan 15, 2025 17:39:18.880944014 CET	49812	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.885567904 CET	445	49811	165.36.191.176	192.168.2.4
Jan 15, 2025 17:39:18.885633945 CET	49811	445	192.168.2.4	165.36.191.176
Jan 15, 2025 17:39:18.885695934 CET	445	49812	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:18.885756969 CET	49812	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.885824919 CET	49812	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.887772083 CET	49813	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.890742064 CET	445	49812	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:18.890886068 CET	49812	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.892618895 CET	445	49813	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:18.892683029 CET	49813	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.892729998 CET	49813	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:18.897442102 CET	445	49813	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:20.913594007 CET	49833	445	192.168.2.4	40.55.118.162
Jan 15, 2025 17:39:20.918771029 CET	445	49833	40.55.118.162	192.168.2.4
Jan 15, 2025 17:39:20.918884039 CET	49833	445	192.168.2.4	40.55.118.162
Jan 15, 2025 17:39:20.918951988 CET	49833	445	192.168.2.4	40.55.118.162
Jan 15, 2025 17:39:20.919194937 CET	49834	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.924328089 CET	445	49833	40.55.118.162	192.168.2.4
Jan 15, 2025 17:39:20.924360991 CET	445	49834	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:20.924412966 CET	49833	445	192.168.2.4	40.55.118.162
Jan 15, 2025 17:39:20.924457073 CET	49834	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.924514055 CET	49834	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.925504923 CET	49835	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.929620981 CET	445	49834	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:20.929683924 CET	49834	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.930341005 CET	445	49835	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:20.930404902 CET	49835	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.930457115 CET	49835	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:20.935353994 CET	445	49835	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:22.918495893 CET	49857	445	192.168.2.4	148.190.179.3
Jan 15, 2025 17:39:22.923655987 CET	445	49857	148.190.179.3	192.168.2.4
Jan 15, 2025 17:39:22.923749924 CET	49857	445	192.168.2.4	148.190.179.3
Jan 15, 2025 17:39:22.923806906 CET	49857	445	192.168.2.4	148.190.179.3
Jan 15, 2025 17:39:22.924036980 CET	49858	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.928921938 CET	445	49858	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:22.929043055 CET	49858	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.929043055 CET	49858	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.929286957 CET	445	49857	148.190.179.3	192.168.2.4
Jan 15, 2025 17:39:22.929801941 CET	49857	445	192.168.2.4	148.190.179.3
Jan 15, 2025 17:39:22.930107117 CET	49859	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.934174061 CET	445	49858	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:22.934433937 CET	49858	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.934931040 CET	445	49859	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:22.935019970 CET	49859	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.935190916 CET	49859	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:22.940148115 CET	445	49859	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:24.725575924 CET	49723	80	192.168.2.4	199.232.214.172
Jan 15, 2025 17:39:24.730686903 CET	80	49723	199.232.214.172	192.168.2.4
Jan 15, 2025 17:39:24.730737925 CET	49723	80	192.168.2.4	199.232.214.172
Jan 15, 2025 17:39:24.932929993 CET	49884	445	192.168.2.4	16.122.44.225
Jan 15, 2025 17:39:24.938005924 CET	445	49884	16.122.44.225	192.168.2.4
Jan 15, 2025 17:39:24.938251019 CET	49884	445	192.168.2.4	16.122.44.225
Jan 15, 2025 17:39:24.938251019 CET	49884	445	192.168.2.4	16.122.44.225
Jan 15, 2025 17:39:24.938431978 CET	49886	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.943212986 CET	445	49886	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:24.943272114 CET	49886	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.943279028 CET	445	49884	16.122.44.225	192.168.2.4
Jan 15, 2025 17:39:24.943331003 CET	49884	445	192.168.2.4	16.122.44.225
Jan 15, 2025 17:39:24.943411112 CET	49886	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.943680048 CET	49887	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.948384047 CET	445	49886	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:24.948554993 CET	49886	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.948564053 CET	445	49887	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:24.948679924 CET	49887	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.948679924 CET	49887	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:24.953574896 CET	445	49887	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:26.127474070 CET	52159	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:39:26.132447958 CET	53	52159	1.1.1.1	192.168.2.4
Jan 15, 2025 17:39:26.132512093 CET	52159	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:39:26.137356997 CET	53	52159	1.1.1.1	192.168.2.4
Jan 15, 2025 17:39:26.578939915 CET	52159	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:39:26.584100962 CET	53	52159	1.1.1.1	192.168.2.4
Jan 15, 2025 17:39:26.584177971 CET	52159	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:39:26.948628902 CET	52168	445	192.168.2.4	175.138.214.218
Jan 15, 2025 17:39:26.953537941 CET	445	52168	175.138.214.218	192.168.2.4
Jan 15, 2025 17:39:26.953608036 CET	52168	445	192.168.2.4	175.138.214.218
Jan 15, 2025 17:39:26.953672886 CET	52168	445	192.168.2.4	175.138.214.218
Jan 15, 2025 17:39:26.953958988 CET	52169	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.958594084 CET	445	52168	175.138.214.218	192.168.2.4
Jan 15, 2025 17:39:26.958673000 CET	52168	445	192.168.2.4	175.138.214.218
Jan 15, 2025 17:39:26.958714008 CET	445	52169	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:26.958935022 CET	52169	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.958978891 CET	52169	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.959290028 CET	52170	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.963850975 CET	445	52169	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:26.963933945 CET	52169	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.964098930 CET	445	52170	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:26.964159012 CET	52170	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.964185953 CET	52170	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:26.968947887 CET	445	52170	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:28.964217901 CET	52193	445	192.168.2.4	47.235.125.138
Jan 15, 2025 17:39:28.969177961 CET	445	52193	47.235.125.138	192.168.2.4
Jan 15, 2025 17:39:28.973275900 CET	52193	445	192.168.2.4	47.235.125.138
Jan 15, 2025 17:39:28.973340034 CET	52193	445	192.168.2.4	47.235.125.138
Jan 15, 2025 17:39:28.973489046 CET	52194	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.978327990 CET	445	52194	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:28.978400946 CET	52194	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.978439093 CET	445	52193	47.235.125.138	192.168.2.4
Jan 15, 2025 17:39:28.978480101 CET	52194	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.978517056 CET	52193	445	192.168.2.4	47.235.125.138
Jan 15, 2025 17:39:28.978883982 CET	52195	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.983377934 CET	445	52194	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:28.983596087 CET	52194	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.983663082 CET	445	52195	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:28.983753920 CET	52195	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.983808994 CET	52195	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:28.988590002 CET	445	52195	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:30.979644060 CET	52218	445	192.168.2.4	188.158.166.53
Jan 15, 2025 17:39:30.984460115 CET	445	52218	188.158.166.53	192.168.2.4
Jan 15, 2025 17:39:30.984565973 CET	52218	445	192.168.2.4	188.158.166.53
Jan 15, 2025 17:39:30.984600067 CET	52218	445	192.168.2.4	188.158.166.53
Jan 15, 2025 17:39:30.984703064 CET	52219	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.989494085 CET	445	52219	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:30.989558935 CET	52219	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.989573956 CET	52219	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.989609003 CET	445	52218	188.158.166.53	192.168.2.4
Jan 15, 2025 17:39:30.989943027 CET	52218	445	192.168.2.4	188.158.166.53
Jan 15, 2025 17:39:30.989948034 CET	52220	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.994690895 CET	445	52220	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:30.994792938 CET	52220	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.994792938 CET	52220	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.995141029 CET	445	52219	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:30.995462894 CET	52219	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:30.999613047 CET	445	52220	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:32.995898008 CET	52243	445	192.168.2.4	52.105.25.84
Jan 15, 2025 17:39:33.001422882 CET	445	52243	52.105.25.84	192.168.2.4
Jan 15, 2025 17:39:33.001488924 CET	52243	445	192.168.2.4	52.105.25.84
Jan 15, 2025 17:39:33.001527071 CET	52243	445	192.168.2.4	52.105.25.84
Jan 15, 2025 17:39:33.001738071 CET	52244	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.006691933 CET	445	52244	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:33.006743908 CET	445	52243	52.105.25.84	192.168.2.4
Jan 15, 2025 17:39:33.006768942 CET	52244	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.006768942 CET	52244	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.006798029 CET	52243	445	192.168.2.4	52.105.25.84
Jan 15, 2025 17:39:33.007034063 CET	52245	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.011873007 CET	445	52244	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:33.011883974 CET	445	52245	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:33.011934996 CET	52244	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.011957884 CET	52245	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.011987925 CET	52245	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:33.016732931 CET	445	52245	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:34.275787115 CET	445	49737	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:34.276017904 CET	49737	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:34.276019096 CET	49737	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:34.276019096 CET	49737	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:34.281816959 CET	445	49737	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:34.281826019 CET	445	49737	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:35.010987043 CET	52267	445	192.168.2.4	36.60.110.4
Jan 15, 2025 17:39:35.015938997 CET	445	52267	36.60.110.4	192.168.2.4
Jan 15, 2025 17:39:35.016020060 CET	52267	445	192.168.2.4	36.60.110.4
Jan 15, 2025 17:39:35.016086102 CET	52267	445	192.168.2.4	36.60.110.4
Jan 15, 2025 17:39:35.016223907 CET	52268	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.021111012 CET	445	52268	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:35.021173000 CET	52268	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.021184921 CET	52268	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.021435022 CET	52269	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.022254944 CET	445	52267	36.60.110.4	192.168.2.4
Jan 15, 2025 17:39:35.022299051 CET	52267	445	192.168.2.4	36.60.110.4
Jan 15, 2025 17:39:35.026235104 CET	445	52269	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:35.026318073 CET	52269	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.026362896 CET	52269	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.027492046 CET	445	52268	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:35.028429031 CET	445	52268	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:35.028465986 CET	52268	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:35.031151056 CET	445	52269	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:36.226794004 CET	445	49763	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:36.226861954 CET	49763	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:36.226918936 CET	49763	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:36.226955891 CET	49763	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:36.231686115 CET	445	49763	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:36.231863976 CET	445	49763	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:37.102067947 CET	52292	445	192.168.2.4	32.240.226.83
Jan 15, 2025 17:39:37.300954103 CET	445	52292	32.240.226.83	192.168.2.4
Jan 15, 2025 17:39:37.301032066 CET	52292	445	192.168.2.4	32.240.226.83
Jan 15, 2025 17:39:37.317495108 CET	52292	445	192.168.2.4	32.240.226.83
Jan 15, 2025 17:39:37.317816973 CET	52293	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.317970991 CET	52294	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:37.322428942 CET	445	52292	32.240.226.83	192.168.2.4
Jan 15, 2025 17:39:37.322494984 CET	52292	445	192.168.2.4	32.240.226.83
Jan 15, 2025 17:39:37.322648048 CET	445	52293	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:37.322756052 CET	445	52294	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:37.322797060 CET	52294	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:37.322812080 CET	52293	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.346872091 CET	52293	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.346972942 CET	52294	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:37.347851038 CET	52296	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.351772070 CET	445	52293	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:37.351797104 CET	445	52294	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:37.351829052 CET	52293	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.352730036 CET	445	52296	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:37.352802992 CET	52296	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.352853060 CET	52296	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:37.357636929 CET	445	52296	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:38.228914976 CET	445	49788	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:38.228985071 CET	49788	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:38.229046106 CET	49788	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:38.229099035 CET	49788	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:38.233820915 CET	445	49788	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:38.233870029 CET	445	49788	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:39.107980967 CET	52297	445	192.168.2.4	54.76.228.176
Jan 15, 2025 17:39:39.113305092 CET	445	52297	54.76.228.176	192.168.2.4
Jan 15, 2025 17:39:39.115557909 CET	52297	445	192.168.2.4	54.76.228.176
Jan 15, 2025 17:39:39.115557909 CET	52297	445	192.168.2.4	54.76.228.176
Jan 15, 2025 17:39:39.115822077 CET	52298	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.120841026 CET	445	52298	54.76.228.1	192.168.2.4
Jan 15, 2025 17:39:39.121089935 CET	445	52297	54.76.228.176	192.168.2.4
Jan 15, 2025 17:39:39.121186018 CET	52297	445	192.168.2.4	54.76.228.176
Jan 15, 2025 17:39:39.121186018 CET	52298	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.121303082 CET	52298	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.121572971 CET	52299	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.126462936 CET	445	52298	54.76.228.1	192.168.2.4
Jan 15, 2025 17:39:39.126476049 CET	445	52299	54.76.228.1	192.168.2.4
Jan 15, 2025 17:39:39.126544952 CET	52298	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.126574993 CET	52299	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.132355928 CET	52299	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:39:39.137300968 CET	445	52299	54.76.228.1	192.168.2.4
Jan 15, 2025 17:39:39.230448008 CET	52300	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:39.235407114 CET	445	52300	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:39.235630035 CET	52300	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:39.235630035 CET	52300	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:39:39.240633011 CET	445	52300	115.22.22.1	192.168.2.4
Jan 15, 2025 17:39:40.258080006 CET	445	49813	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:40.258164883 CET	49813	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:40.258259058 CET	49813	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:40.258313894 CET	49813	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:40.263150930 CET	445	49813	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:40.263164043 CET	445	49813	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:41.120501995 CET	52301	445	192.168.2.4	24.81.53.215
Jan 15, 2025 17:39:41.125786066 CET	445	52301	24.81.53.215	192.168.2.4
Jan 15, 2025 17:39:41.127415895 CET	52301	445	192.168.2.4	24.81.53.215
Jan 15, 2025 17:39:41.127477884 CET	52301	445	192.168.2.4	24.81.53.215
Jan 15, 2025 17:39:41.127579927 CET	52302	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.132605076 CET	445	52302	24.81.53.1	192.168.2.4
Jan 15, 2025 17:39:41.132638931 CET	445	52301	24.81.53.215	192.168.2.4
Jan 15, 2025 17:39:41.132720947 CET	52301	445	192.168.2.4	24.81.53.215
Jan 15, 2025 17:39:41.132720947 CET	52302	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.133073092 CET	52302	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.133186102 CET	52303	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.137929916 CET	445	52302	24.81.53.1	192.168.2.4
Jan 15, 2025 17:39:41.138122082 CET	445	52303	24.81.53.1	192.168.2.4
Jan 15, 2025 17:39:41.138186932 CET	52302	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.138431072 CET	52303	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.138431072 CET	52303	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:39:41.143385887 CET	445	52303	24.81.53.1	192.168.2.4
Jan 15, 2025 17:39:41.229756117 CET	52304	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:41.234793901 CET	445	52304	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:41.234864950 CET	52304	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:41.234925985 CET	52304	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:39:41.239804983 CET	445	52304	76.56.126.1	192.168.2.4
Jan 15, 2025 17:39:42.338180065 CET	445	49835	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:42.339102030 CET	49835	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:42.339210987 CET	49835	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:42.339234114 CET	49835	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:42.344120979 CET	445	49835	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:42.344139099 CET	445	49835	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:43.136076927 CET	52305	445	192.168.2.4	97.219.176.139
Jan 15, 2025 17:39:43.141097069 CET	445	52305	97.219.176.139	192.168.2.4
Jan 15, 2025 17:39:43.141166925 CET	52305	445	192.168.2.4	97.219.176.139
Jan 15, 2025 17:39:43.141246080 CET	52305	445	192.168.2.4	97.219.176.139
Jan 15, 2025 17:39:43.141381979 CET	52306	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.146219015 CET	445	52306	97.219.176.1	192.168.2.4
Jan 15, 2025 17:39:43.146271944 CET	445	52305	97.219.176.139	192.168.2.4
Jan 15, 2025 17:39:43.146271944 CET	52306	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.146325111 CET	52306	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.146398067 CET	52305	445	192.168.2.4	97.219.176.139
Jan 15, 2025 17:39:43.146672964 CET	52307	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.151345968 CET	445	52306	97.219.176.1	192.168.2.4
Jan 15, 2025 17:39:43.151391983 CET	52306	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.151559114 CET	445	52307	97.219.176.1	192.168.2.4
Jan 15, 2025 17:39:43.151834011 CET	52307	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.151834011 CET	52307	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:39:43.156773090 CET	445	52307	97.219.176.1	192.168.2.4
Jan 15, 2025 17:39:43.260961056 CET	52308	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:43.266060114 CET	445	52308	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:43.266153097 CET	52308	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:43.266191006 CET	52308	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:39:43.270925999 CET	445	52308	165.36.191.1	192.168.2.4
Jan 15, 2025 17:39:44.287843943 CET	445	49859	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:44.287940025 CET	49859	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:44.288098097 CET	49859	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:44.288178921 CET	49859	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:44.293473959 CET	445	49859	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:44.293505907 CET	445	49859	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:45.152406931 CET	52309	445	192.168.2.4	39.117.145.22
Jan 15, 2025 17:39:45.157548904 CET	445	52309	39.117.145.22	192.168.2.4
Jan 15, 2025 17:39:45.157651901 CET	52309	445	192.168.2.4	39.117.145.22
Jan 15, 2025 17:39:45.157692909 CET	52309	445	192.168.2.4	39.117.145.22
Jan 15, 2025 17:39:45.157854080 CET	52310	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.163362026 CET	445	52310	39.117.145.1	192.168.2.4
Jan 15, 2025 17:39:45.163379908 CET	445	52309	39.117.145.22	192.168.2.4
Jan 15, 2025 17:39:45.163561106 CET	52309	445	192.168.2.4	39.117.145.22
Jan 15, 2025 17:39:45.163654089 CET	52310	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.163654089 CET	52310	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.163882017 CET	52311	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.168855906 CET	445	52310	39.117.145.1	192.168.2.4
Jan 15, 2025 17:39:45.168921947 CET	52310	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.168977976 CET	445	52311	39.117.145.1	192.168.2.4
Jan 15, 2025 17:39:45.169050932 CET	52311	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.169106007 CET	52311	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:39:45.173917055 CET	445	52311	39.117.145.1	192.168.2.4
Jan 15, 2025 17:39:45.354975939 CET	52312	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:45.359972000 CET	445	52312	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:45.360054016 CET	52312	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:45.360115051 CET	52312	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:39:45.364986897 CET	445	52312	40.55.118.1	192.168.2.4
Jan 15, 2025 17:39:46.287725925 CET	445	49887	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:46.288005114 CET	49887	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:46.288005114 CET	49887	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:46.288005114 CET	49887	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:46.293859005 CET	445	49887	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:46.293873072 CET	445	49887	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:47.167411089 CET	52313	445	192.168.2.4	25.8.63.166
Jan 15, 2025 17:39:47.172617912 CET	445	52313	25.8.63.166	192.168.2.4
Jan 15, 2025 17:39:47.172704935 CET	52313	445	192.168.2.4	25.8.63.166
Jan 15, 2025 17:39:47.172744036 CET	52313	445	192.168.2.4	25.8.63.166
Jan 15, 2025 17:39:47.172954082 CET	52314	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.177767992 CET	445	52313	25.8.63.166	192.168.2.4
Jan 15, 2025 17:39:47.177819967 CET	445	52314	25.8.63.1	192.168.2.4
Jan 15, 2025 17:39:47.177819967 CET	52313	445	192.168.2.4	25.8.63.166
Jan 15, 2025 17:39:47.177881956 CET	52314	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.177961111 CET	52314	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.178239107 CET	52315	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.183058023 CET	445	52315	25.8.63.1	192.168.2.4
Jan 15, 2025 17:39:47.183128119 CET	52315	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.183171988 CET	52315	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.183353901 CET	445	52314	25.8.63.1	192.168.2.4
Jan 15, 2025 17:39:47.183423042 CET	52314	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:39:47.187941074 CET	445	52315	25.8.63.1	192.168.2.4
Jan 15, 2025 17:39:47.292119026 CET	52316	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:47.296977043 CET	445	52316	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:47.297049046 CET	52316	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:47.297084093 CET	52316	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:39:47.301843882 CET	445	52316	148.190.179.1	192.168.2.4
Jan 15, 2025 17:39:48.351097107 CET	445	52170	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:48.351165056 CET	52170	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:48.351233959 CET	52170	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:48.351401091 CET	52170	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:48.356003046 CET	445	52170	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:48.356215954 CET	445	52170	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:49.042843103 CET	52317	445	192.168.2.4	89.237.246.50
Jan 15, 2025 17:39:49.047895908 CET	445	52317	89.237.246.50	192.168.2.4
Jan 15, 2025 17:39:49.048105001 CET	52317	445	192.168.2.4	89.237.246.50
Jan 15, 2025 17:39:49.048105001 CET	52317	445	192.168.2.4	89.237.246.50
Jan 15, 2025 17:39:49.048248053 CET	52318	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.054074049 CET	445	52318	89.237.246.1	192.168.2.4
Jan 15, 2025 17:39:49.054142952 CET	52318	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.054228067 CET	52318	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.054677963 CET	52319	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.055161953 CET	445	52317	89.237.246.50	192.168.2.4
Jan 15, 2025 17:39:49.055392981 CET	52317	445	192.168.2.4	89.237.246.50
Jan 15, 2025 17:39:49.059580088 CET	445	52318	89.237.246.1	192.168.2.4
Jan 15, 2025 17:39:49.059590101 CET	445	52319	89.237.246.1	192.168.2.4
Jan 15, 2025 17:39:49.059819937 CET	52319	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.059819937 CET	52319	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.063262939 CET	445	52318	89.237.246.1	192.168.2.4
Jan 15, 2025 17:39:49.063417912 CET	52318	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:39:49.064639091 CET	445	52319	89.237.246.1	192.168.2.4
Jan 15, 2025 17:39:49.292104006 CET	52320	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:49.298428059 CET	445	52320	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:49.298510075 CET	52320	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:49.298593998 CET	52320	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:39:49.303384066 CET	445	52320	16.122.44.1	192.168.2.4
Jan 15, 2025 17:39:50.371376991 CET	445	52195	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:50.371596098 CET	52195	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:50.371695042 CET	52195	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:50.371726036 CET	52195	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:50.376513004 CET	445	52195	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:50.376522064 CET	445	52195	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:50.792915106 CET	52321	445	192.168.2.4	93.83.4.160
Jan 15, 2025 17:39:50.797909021 CET	445	52321	93.83.4.160	192.168.2.4
Jan 15, 2025 17:39:50.798043013 CET	52321	445	192.168.2.4	93.83.4.160
Jan 15, 2025 17:39:50.798077106 CET	52321	445	192.168.2.4	93.83.4.160
Jan 15, 2025 17:39:50.798286915 CET	52322	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.803226948 CET	445	52322	93.83.4.1	192.168.2.4
Jan 15, 2025 17:39:50.803292036 CET	445	52321	93.83.4.160	192.168.2.4
Jan 15, 2025 17:39:50.803294897 CET	52322	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.803323030 CET	52322	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.803397894 CET	52321	445	192.168.2.4	93.83.4.160
Jan 15, 2025 17:39:50.803730011 CET	52323	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.808444977 CET	445	52322	93.83.4.1	192.168.2.4
Jan 15, 2025 17:39:50.808490038 CET	52322	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.808521986 CET	445	52323	93.83.4.1	192.168.2.4
Jan 15, 2025 17:39:50.808679104 CET	52323	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.808680058 CET	52323	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:39:50.813704967 CET	445	52323	93.83.4.1	192.168.2.4
Jan 15, 2025 17:39:51.354531050 CET	52324	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:51.359538078 CET	445	52324	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:51.359625101 CET	52324	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:51.359659910 CET	52324	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:39:51.364569902 CET	445	52324	175.138.214.1	192.168.2.4
Jan 15, 2025 17:39:52.433180094 CET	52325	445	192.168.2.4	161.183.110.166
Jan 15, 2025 17:39:52.573225021 CET	445	52220	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:52.573357105 CET	52220	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:52.573357105 CET	52220	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:52.573448896 CET	52220	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:52.573877096 CET	445	52325	161.183.110.166	192.168.2.4
Jan 15, 2025 17:39:52.575408936 CET	52325	445	192.168.2.4	161.183.110.166
Jan 15, 2025 17:39:52.575484037 CET	52325	445	192.168.2.4	161.183.110.166
Jan 15, 2025 17:39:52.575768948 CET	52326	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.578289986 CET	445	52220	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:52.578299046 CET	445	52220	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:52.580368996 CET	445	52325	161.183.110.166	192.168.2.4
Jan 15, 2025 17:39:52.580576897 CET	445	52326	161.183.110.1	192.168.2.4
Jan 15, 2025 17:39:52.580673933 CET	52326	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.580730915 CET	52325	445	192.168.2.4	161.183.110.166
Jan 15, 2025 17:39:52.580760956 CET	52326	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.581051111 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.585838079 CET	445	52326	161.183.110.1	192.168.2.4
Jan 15, 2025 17:39:52.585848093 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:39:52.585916996 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.585957050 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.586040020 CET	52326	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:39:52.590935946 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:39:53.386027098 CET	52328	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:53.391001940 CET	445	52328	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:53.391094923 CET	52328	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:53.391163111 CET	52328	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:39:53.395973921 CET	445	52328	47.235.125.1	192.168.2.4
Jan 15, 2025 17:39:53.964144945 CET	52329	445	192.168.2.4	155.214.228.235
Jan 15, 2025 17:39:53.968940020 CET	445	52329	155.214.228.235	192.168.2.4
Jan 15, 2025 17:39:53.969000101 CET	52329	445	192.168.2.4	155.214.228.235
Jan 15, 2025 17:39:53.969047070 CET	52329	445	192.168.2.4	155.214.228.235
Jan 15, 2025 17:39:53.969257116 CET	52330	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.974014997 CET	445	52329	155.214.228.235	192.168.2.4
Jan 15, 2025 17:39:53.974060059 CET	52329	445	192.168.2.4	155.214.228.235
Jan 15, 2025 17:39:53.974159002 CET	445	52330	155.214.228.1	192.168.2.4
Jan 15, 2025 17:39:53.974205017 CET	52330	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.974292994 CET	52330	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.974594116 CET	52331	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.979223013 CET	445	52330	155.214.228.1	192.168.2.4
Jan 15, 2025 17:39:53.979283094 CET	52330	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.979387999 CET	445	52331	155.214.228.1	192.168.2.4
Jan 15, 2025 17:39:53.979446888 CET	52331	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.979481936 CET	52331	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:39:53.984255075 CET	445	52331	155.214.228.1	192.168.2.4
Jan 15, 2025 17:39:54.365881920 CET	445	52245	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:54.369398117 CET	52245	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:54.369436026 CET	52245	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:54.369481087 CET	52245	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:54.374696970 CET	445	52245	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:54.374707937 CET	445	52245	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:55.386980057 CET	52332	445	192.168.2.4	212.25.241.104
Jan 15, 2025 17:39:55.392728090 CET	445	52332	212.25.241.104	192.168.2.4
Jan 15, 2025 17:39:55.392829895 CET	52332	445	192.168.2.4	212.25.241.104
Jan 15, 2025 17:39:55.392950058 CET	52332	445	192.168.2.4	212.25.241.104
Jan 15, 2025 17:39:55.393260002 CET	52333	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.398163080 CET	445	52333	212.25.241.1	192.168.2.4
Jan 15, 2025 17:39:55.398246050 CET	52333	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.398578882 CET	52333	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.398580074 CET	52334	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.399476051 CET	445	52332	212.25.241.104	192.168.2.4
Jan 15, 2025 17:39:55.402232885 CET	445	52332	212.25.241.104	192.168.2.4
Jan 15, 2025 17:39:55.402286053 CET	52332	445	192.168.2.4	212.25.241.104
Jan 15, 2025 17:39:55.403456926 CET	445	52334	212.25.241.1	192.168.2.4
Jan 15, 2025 17:39:55.403465033 CET	445	52333	212.25.241.1	192.168.2.4
Jan 15, 2025 17:39:55.403527975 CET	52333	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.403558016 CET	52334	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.403558016 CET	52334	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:39:55.408427954 CET	445	52334	212.25.241.1	192.168.2.4
Jan 15, 2025 17:39:55.588943005 CET	52335	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:55.594000101 CET	445	52335	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:55.594067097 CET	52335	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:55.594125986 CET	52335	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:39:55.598958015 CET	445	52335	188.158.166.1	192.168.2.4
Jan 15, 2025 17:39:56.418379068 CET	445	52269	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:56.419493914 CET	52269	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:56.419493914 CET	52269	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:56.419493914 CET	52269	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:56.425015926 CET	445	52269	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:56.425030947 CET	445	52269	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:56.783785105 CET	52336	445	192.168.2.4	92.29.141.21
Jan 15, 2025 17:39:56.788789034 CET	445	52336	92.29.141.21	192.168.2.4
Jan 15, 2025 17:39:56.788991928 CET	52336	445	192.168.2.4	92.29.141.21
Jan 15, 2025 17:39:56.788991928 CET	52336	445	192.168.2.4	92.29.141.21
Jan 15, 2025 17:39:56.789256096 CET	52337	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.794040918 CET	445	52337	92.29.141.1	192.168.2.4
Jan 15, 2025 17:39:56.794060946 CET	445	52336	92.29.141.21	192.168.2.4
Jan 15, 2025 17:39:56.794151068 CET	52337	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.794236898 CET	52336	445	192.168.2.4	92.29.141.21
Jan 15, 2025 17:39:56.794265985 CET	52337	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.795151949 CET	52338	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.799344063 CET	445	52337	92.29.141.1	192.168.2.4
Jan 15, 2025 17:39:56.799396992 CET	52337	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.799915075 CET	445	52338	92.29.141.1	192.168.2.4
Jan 15, 2025 17:39:56.800024986 CET	52338	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.800024986 CET	52338	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:39:56.804778099 CET	445	52338	92.29.141.1	192.168.2.4
Jan 15, 2025 17:39:57.370309114 CET	52339	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:57.375269890 CET	445	52339	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:57.375376940 CET	52339	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:57.375411034 CET	52339	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:39:57.381175041 CET	445	52339	52.105.25.1	192.168.2.4
Jan 15, 2025 17:39:58.026802063 CET	52340	445	192.168.2.4	209.12.10.65
Jan 15, 2025 17:39:58.031774044 CET	445	52340	209.12.10.65	192.168.2.4
Jan 15, 2025 17:39:58.031891108 CET	52340	445	192.168.2.4	209.12.10.65
Jan 15, 2025 17:39:58.031989098 CET	52340	445	192.168.2.4	209.12.10.65
Jan 15, 2025 17:39:58.032257080 CET	52341	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.037004948 CET	445	52340	209.12.10.65	192.168.2.4
Jan 15, 2025 17:39:58.037072897 CET	52340	445	192.168.2.4	209.12.10.65
Jan 15, 2025 17:39:58.037153006 CET	445	52341	209.12.10.1	192.168.2.4
Jan 15, 2025 17:39:58.037234068 CET	52341	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.037234068 CET	52341	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.037489891 CET	52342	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.042274952 CET	445	52342	209.12.10.1	192.168.2.4
Jan 15, 2025 17:39:58.042335033 CET	52342	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.042354107 CET	445	52341	209.12.10.1	192.168.2.4
Jan 15, 2025 17:39:58.042396069 CET	52342	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.042422056 CET	52341	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:39:58.047156096 CET	445	52342	209.12.10.1	192.168.2.4
Jan 15, 2025 17:39:58.713706017 CET	445	52294	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:58.713783026 CET	52294	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:58.713870049 CET	52294	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:58.713898897 CET	52294	445	192.168.2.4	29.177.137.1
Jan 15, 2025 17:39:58.718647003 CET	445	52294	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:58.718661070 CET	445	52294	29.177.137.1	192.168.2.4
Jan 15, 2025 17:39:58.746541977 CET	445	52296	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:58.746710062 CET	52296	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:58.746711016 CET	52296	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:58.746711016 CET	52296	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:39:58.751564980 CET	445	52296	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:58.751578093 CET	445	52296	32.240.226.1	192.168.2.4
Jan 15, 2025 17:39:58.776654959 CET	52343	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.781471968 CET	445	52343	29.177.137.2	192.168.2.4
Jan 15, 2025 17:39:58.781538010 CET	52343	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.781562090 CET	52343	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.781900883 CET	52344	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.786541939 CET	445	52343	29.177.137.2	192.168.2.4
Jan 15, 2025 17:39:58.786602974 CET	52343	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.786690950 CET	445	52344	29.177.137.2	192.168.2.4
Jan 15, 2025 17:39:58.786777973 CET	52344	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.786868095 CET	52344	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:39:58.791599035 CET	445	52344	29.177.137.2	192.168.2.4
Jan 15, 2025 17:39:59.183029890 CET	52345	445	192.168.2.4	41.209.109.228
Jan 15, 2025 17:39:59.187971115 CET	445	52345	41.209.109.228	192.168.2.4
Jan 15, 2025 17:39:59.188204050 CET	52345	445	192.168.2.4	41.209.109.228
Jan 15, 2025 17:39:59.188204050 CET	52345	445	192.168.2.4	41.209.109.228
Jan 15, 2025 17:39:59.188302040 CET	52346	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.193661928 CET	445	52346	41.209.109.1	192.168.2.4
Jan 15, 2025 17:39:59.193701982 CET	445	52345	41.209.109.228	192.168.2.4
Jan 15, 2025 17:39:59.193736076 CET	52346	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.193850994 CET	52345	445	192.168.2.4	41.209.109.228
Jan 15, 2025 17:39:59.193886995 CET	52346	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.194297075 CET	52347	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.199552059 CET	445	52346	41.209.109.1	192.168.2.4
Jan 15, 2025 17:39:59.199631929 CET	52346	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.200058937 CET	445	52347	41.209.109.1	192.168.2.4
Jan 15, 2025 17:39:59.200145960 CET	52347	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.200145960 CET	52347	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:39:59.205698967 CET	445	52347	41.209.109.1	192.168.2.4
Jan 15, 2025 17:39:59.433757067 CET	52348	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:59.438842058 CET	445	52348	36.60.110.1	192.168.2.4
Jan 15, 2025 17:39:59.439080000 CET	52348	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:59.439080000 CET	52348	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:39:59.444020033 CET	445	52348	36.60.110.1	192.168.2.4
Jan 15, 2025 17:40:00.261133909 CET	52349	445	192.168.2.4	61.126.105.30
Jan 15, 2025 17:40:00.266108990 CET	445	52349	61.126.105.30	192.168.2.4
Jan 15, 2025 17:40:00.266211987 CET	52349	445	192.168.2.4	61.126.105.30
Jan 15, 2025 17:40:00.266357899 CET	52349	445	192.168.2.4	61.126.105.30
Jan 15, 2025 17:40:00.266619921 CET	52350	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.271440983 CET	445	52350	61.126.105.1	192.168.2.4
Jan 15, 2025 17:40:00.271456003 CET	445	52349	61.126.105.30	192.168.2.4
Jan 15, 2025 17:40:00.271538973 CET	52350	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.271559954 CET	52349	445	192.168.2.4	61.126.105.30
Jan 15, 2025 17:40:00.271594048 CET	52350	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.271970987 CET	52351	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.276726007 CET	445	52351	61.126.105.1	192.168.2.4
Jan 15, 2025 17:40:00.276796103 CET	52351	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.276823997 CET	52351	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.277081966 CET	445	52350	61.126.105.1	192.168.2.4
Jan 15, 2025 17:40:00.277147055 CET	52350	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:00.281570911 CET	445	52351	61.126.105.1	192.168.2.4
Jan 15, 2025 17:40:00.490948915 CET	445	52299	54.76.228.1	192.168.2.4
Jan 15, 2025 17:40:00.491039991 CET	52299	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:00.491039991 CET	52299	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:00.491139889 CET	52299	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:00.495978117 CET	445	52299	54.76.228.1	192.168.2.4
Jan 15, 2025 17:40:00.495990992 CET	445	52299	54.76.228.1	192.168.2.4
Jan 15, 2025 17:40:00.637280941 CET	445	52300	115.22.22.1	192.168.2.4
Jan 15, 2025 17:40:00.637424946 CET	52300	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:40:00.637518883 CET	52300	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:40:00.637617111 CET	52300	445	192.168.2.4	115.22.22.1
Jan 15, 2025 17:40:00.642517090 CET	445	52300	115.22.22.1	192.168.2.4
Jan 15, 2025 17:40:00.642653942 CET	445	52300	115.22.22.1	192.168.2.4
Jan 15, 2025 17:40:00.699539900 CET	52352	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.704421043 CET	445	52352	115.22.22.2	192.168.2.4
Jan 15, 2025 17:40:00.704514027 CET	52352	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.704554081 CET	52352	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.704874992 CET	52353	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.709856987 CET	445	52352	115.22.22.2	192.168.2.4
Jan 15, 2025 17:40:00.709871054 CET	445	52353	115.22.22.2	192.168.2.4
Jan 15, 2025 17:40:00.709914923 CET	52352	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.709994078 CET	52353	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.710017920 CET	52353	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:00.714818954 CET	445	52353	115.22.22.2	192.168.2.4
Jan 15, 2025 17:40:01.277672052 CET	52354	445	192.168.2.4	214.105.233.222
Jan 15, 2025 17:40:01.282715082 CET	445	52354	214.105.233.222	192.168.2.4
Jan 15, 2025 17:40:01.282902956 CET	52354	445	192.168.2.4	214.105.233.222
Jan 15, 2025 17:40:01.282902956 CET	52354	445	192.168.2.4	214.105.233.222
Jan 15, 2025 17:40:01.283051968 CET	52355	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.287974119 CET	445	52354	214.105.233.222	192.168.2.4
Jan 15, 2025 17:40:01.287988901 CET	445	52355	214.105.233.1	192.168.2.4
Jan 15, 2025 17:40:01.288095951 CET	52354	445	192.168.2.4	214.105.233.222
Jan 15, 2025 17:40:01.288156986 CET	52355	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.288254023 CET	52355	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.288764954 CET	52356	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.293225050 CET	445	52355	214.105.233.1	192.168.2.4
Jan 15, 2025 17:40:01.293313026 CET	52355	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.293665886 CET	445	52356	214.105.233.1	192.168.2.4
Jan 15, 2025 17:40:01.293755054 CET	52356	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.293801069 CET	52356	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:01.298615932 CET	445	52356	214.105.233.1	192.168.2.4
Jan 15, 2025 17:40:01.760864019 CET	52357	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:40:01.766510963 CET	445	52357	32.240.226.1	192.168.2.4
Jan 15, 2025 17:40:01.766747952 CET	52357	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:40:01.766747952 CET	52357	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:40:01.772552013 CET	445	52357	32.240.226.1	192.168.2.4
Jan 15, 2025 17:40:02.242995977 CET	52358	445	192.168.2.4	130.190.236.157
Jan 15, 2025 17:40:02.247977972 CET	445	52358	130.190.236.157	192.168.2.4
Jan 15, 2025 17:40:02.248060942 CET	52358	445	192.168.2.4	130.190.236.157
Jan 15, 2025 17:40:02.248291969 CET	52358	445	192.168.2.4	130.190.236.157
Jan 15, 2025 17:40:02.248497963 CET	52359	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.253117085 CET	445	52358	130.190.236.157	192.168.2.4
Jan 15, 2025 17:40:02.253186941 CET	52358	445	192.168.2.4	130.190.236.157
Jan 15, 2025 17:40:02.253428936 CET	445	52359	130.190.236.1	192.168.2.4
Jan 15, 2025 17:40:02.253520966 CET	52359	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.257900953 CET	52359	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.258213997 CET	52360	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.262876987 CET	445	52359	130.190.236.1	192.168.2.4
Jan 15, 2025 17:40:02.262955904 CET	52359	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.263910055 CET	445	52360	130.190.236.1	192.168.2.4
Jan 15, 2025 17:40:02.263978004 CET	52360	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.266242981 CET	52360	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:02.271908998 CET	445	52360	130.190.236.1	192.168.2.4
Jan 15, 2025 17:40:02.524646997 CET	445	52303	24.81.53.1	192.168.2.4
Jan 15, 2025 17:40:02.524749041 CET	52303	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:02.525105000 CET	52303	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:02.525154114 CET	52303	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:02.530858040 CET	445	52303	24.81.53.1	192.168.2.4
Jan 15, 2025 17:40:02.530868053 CET	445	52303	24.81.53.1	192.168.2.4
Jan 15, 2025 17:40:02.620817900 CET	445	52304	76.56.126.1	192.168.2.4
Jan 15, 2025 17:40:02.620889902 CET	52304	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:40:02.620990038 CET	52304	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:40:02.621068954 CET	52304	445	192.168.2.4	76.56.126.1
Jan 15, 2025 17:40:02.626766920 CET	445	52304	76.56.126.1	192.168.2.4
Jan 15, 2025 17:40:02.626872063 CET	445	52304	76.56.126.1	192.168.2.4
Jan 15, 2025 17:40:02.683326960 CET	52361	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.689436913 CET	445	52361	76.56.126.2	192.168.2.4
Jan 15, 2025 17:40:02.689503908 CET	52361	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.689562082 CET	52361	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.690022945 CET	52362	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.695677042 CET	445	52361	76.56.126.2	192.168.2.4
Jan 15, 2025 17:40:02.695729971 CET	52361	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.696038008 CET	445	52362	76.56.126.2	192.168.2.4
Jan 15, 2025 17:40:02.696095943 CET	52362	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.696232080 CET	52362	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:02.702613115 CET	445	52362	76.56.126.2	192.168.2.4
Jan 15, 2025 17:40:03.120595932 CET	52364	445	192.168.2.4	16.105.17.80
Jan 15, 2025 17:40:03.125901937 CET	445	52364	16.105.17.80	192.168.2.4
Jan 15, 2025 17:40:03.125977039 CET	52364	445	192.168.2.4	16.105.17.80
Jan 15, 2025 17:40:03.126075983 CET	52364	445	192.168.2.4	16.105.17.80
Jan 15, 2025 17:40:03.126380920 CET	52365	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.131582022 CET	445	52365	16.105.17.1	192.168.2.4
Jan 15, 2025 17:40:03.131759882 CET	52365	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.131761074 CET	52365	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.131941080 CET	52366	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.133801937 CET	445	52364	16.105.17.80	192.168.2.4
Jan 15, 2025 17:40:03.133862019 CET	52364	445	192.168.2.4	16.105.17.80
Jan 15, 2025 17:40:03.136899948 CET	445	52366	16.105.17.1	192.168.2.4
Jan 15, 2025 17:40:03.136992931 CET	52366	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.137047052 CET	52366	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.138549089 CET	445	52365	16.105.17.1	192.168.2.4
Jan 15, 2025 17:40:03.138627052 CET	52365	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:03.141865969 CET	445	52366	16.105.17.1	192.168.2.4
Jan 15, 2025 17:40:03.495332003 CET	52367	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:03.500363111 CET	445	52367	54.76.228.1	192.168.2.4
Jan 15, 2025 17:40:03.500586987 CET	52367	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:03.500586987 CET	52367	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:03.505572081 CET	445	52367	54.76.228.1	192.168.2.4
Jan 15, 2025 17:40:03.948772907 CET	52369	445	192.168.2.4	83.110.238.57
Jan 15, 2025 17:40:03.954231024 CET	445	52369	83.110.238.57	192.168.2.4
Jan 15, 2025 17:40:03.954315901 CET	52369	445	192.168.2.4	83.110.238.57
Jan 15, 2025 17:40:03.954406977 CET	52369	445	192.168.2.4	83.110.238.57
Jan 15, 2025 17:40:03.954583883 CET	52370	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.959537029 CET	445	52369	83.110.238.57	192.168.2.4
Jan 15, 2025 17:40:03.959547997 CET	445	52370	83.110.238.1	192.168.2.4
Jan 15, 2025 17:40:03.959585905 CET	52369	445	192.168.2.4	83.110.238.57
Jan 15, 2025 17:40:03.959705114 CET	52370	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.959705114 CET	52370	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.960002899 CET	52371	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.964843988 CET	445	52371	83.110.238.1	192.168.2.4
Jan 15, 2025 17:40:03.964926004 CET	445	52370	83.110.238.1	192.168.2.4
Jan 15, 2025 17:40:03.964931011 CET	52371	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.964962959 CET	52371	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.964996099 CET	52370	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:03.969716072 CET	445	52371	83.110.238.1	192.168.2.4
Jan 15, 2025 17:40:04.527996063 CET	445	52307	97.219.176.1	192.168.2.4
Jan 15, 2025 17:40:04.528157949 CET	52307	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:04.528157949 CET	52307	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:04.528157949 CET	52307	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:04.532917023 CET	445	52307	97.219.176.1	192.168.2.4
Jan 15, 2025 17:40:04.532960892 CET	445	52307	97.219.176.1	192.168.2.4
Jan 15, 2025 17:40:04.633253098 CET	445	52308	165.36.191.1	192.168.2.4
Jan 15, 2025 17:40:04.633317947 CET	52308	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:40:04.633454084 CET	52308	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:40:04.633511066 CET	52308	445	192.168.2.4	165.36.191.1
Jan 15, 2025 17:40:04.638252974 CET	445	52308	165.36.191.1	192.168.2.4
Jan 15, 2025 17:40:04.638262033 CET	445	52308	165.36.191.1	192.168.2.4
Jan 15, 2025 17:40:04.698396921 CET	52372	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.703264952 CET	445	52372	165.36.191.2	192.168.2.4
Jan 15, 2025 17:40:04.703346968 CET	52372	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.703438044 CET	52372	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.703758001 CET	52373	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.708518982 CET	445	52373	165.36.191.2	192.168.2.4
Jan 15, 2025 17:40:04.708637953 CET	52373	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.708671093 CET	52373	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.709583044 CET	445	52372	165.36.191.2	192.168.2.4
Jan 15, 2025 17:40:04.709638119 CET	52372	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:04.713387966 CET	445	52373	165.36.191.2	192.168.2.4
Jan 15, 2025 17:40:04.714272022 CET	52374	445	192.168.2.4	206.193.176.9
Jan 15, 2025 17:40:04.719780922 CET	445	52374	206.193.176.9	192.168.2.4
Jan 15, 2025 17:40:04.719866037 CET	52374	445	192.168.2.4	206.193.176.9
Jan 15, 2025 17:40:04.719893932 CET	52374	445	192.168.2.4	206.193.176.9
Jan 15, 2025 17:40:04.720010042 CET	52375	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.725807905 CET	445	52375	206.193.176.1	192.168.2.4
Jan 15, 2025 17:40:04.725867033 CET	52375	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.725889921 CET	52375	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.725936890 CET	445	52374	206.193.176.9	192.168.2.4
Jan 15, 2025 17:40:04.726180077 CET	52374	445	192.168.2.4	206.193.176.9
Jan 15, 2025 17:40:04.726480961 CET	52376	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.730796099 CET	445	52375	206.193.176.1	192.168.2.4
Jan 15, 2025 17:40:04.730849981 CET	52375	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.731252909 CET	445	52376	206.193.176.1	192.168.2.4
Jan 15, 2025 17:40:04.731328011 CET	52376	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.731328011 CET	52376	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:04.736114979 CET	445	52376	206.193.176.1	192.168.2.4
Jan 15, 2025 17:40:05.526488066 CET	52383	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:05.531383038 CET	445	52383	24.81.53.1	192.168.2.4
Jan 15, 2025 17:40:05.531502008 CET	52383	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:05.531553030 CET	52383	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:05.536276102 CET	445	52383	24.81.53.1	192.168.2.4
Jan 15, 2025 17:40:06.542120934 CET	445	52311	39.117.145.1	192.168.2.4
Jan 15, 2025 17:40:06.542187929 CET	52311	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:06.542260885 CET	52311	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:06.542294025 CET	52311	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:06.548183918 CET	445	52311	39.117.145.1	192.168.2.4
Jan 15, 2025 17:40:06.548192978 CET	445	52311	39.117.145.1	192.168.2.4
Jan 15, 2025 17:40:06.760737896 CET	445	52312	40.55.118.1	192.168.2.4
Jan 15, 2025 17:40:06.760935068 CET	52312	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:40:06.760935068 CET	52312	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:40:06.760991096 CET	52312	445	192.168.2.4	40.55.118.1
Jan 15, 2025 17:40:06.765777111 CET	445	52312	40.55.118.1	192.168.2.4
Jan 15, 2025 17:40:06.765786886 CET	445	52312	40.55.118.1	192.168.2.4
Jan 15, 2025 17:40:06.823342085 CET	52395	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.828758955 CET	445	52395	40.55.118.2	192.168.2.4
Jan 15, 2025 17:40:06.828824997 CET	52395	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.828862906 CET	52395	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.829134941 CET	52396	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.834567070 CET	445	52395	40.55.118.2	192.168.2.4
Jan 15, 2025 17:40:06.834614038 CET	52395	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.834923029 CET	445	52396	40.55.118.2	192.168.2.4
Jan 15, 2025 17:40:06.834980965 CET	52396	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.835021973 CET	52396	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:06.840605021 CET	445	52396	40.55.118.2	192.168.2.4
Jan 15, 2025 17:40:07.542020082 CET	52403	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:07.546897888 CET	445	52403	97.219.176.1	192.168.2.4
Jan 15, 2025 17:40:07.546979904 CET	52403	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:07.547015905 CET	52403	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:07.551795959 CET	445	52403	97.219.176.1	192.168.2.4
Jan 15, 2025 17:40:08.555299997 CET	445	52315	25.8.63.1	192.168.2.4
Jan 15, 2025 17:40:08.555356979 CET	52315	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:08.555393934 CET	52315	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:08.555427074 CET	52315	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:08.560254097 CET	445	52315	25.8.63.1	192.168.2.4
Jan 15, 2025 17:40:08.560266972 CET	445	52315	25.8.63.1	192.168.2.4
Jan 15, 2025 17:40:08.698519945 CET	445	52316	148.190.179.1	192.168.2.4
Jan 15, 2025 17:40:08.698561907 CET	52316	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:40:08.698759079 CET	52316	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:40:08.698858023 CET	52316	445	192.168.2.4	148.190.179.1
Jan 15, 2025 17:40:08.703491926 CET	445	52316	148.190.179.1	192.168.2.4
Jan 15, 2025 17:40:08.703556061 CET	445	52316	148.190.179.1	192.168.2.4
Jan 15, 2025 17:40:08.761673927 CET	52415	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.766556978 CET	445	52415	148.190.179.2	192.168.2.4
Jan 15, 2025 17:40:08.766618013 CET	52415	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.772996902 CET	52415	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.773761988 CET	52416	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.777816057 CET	445	52415	148.190.179.2	192.168.2.4
Jan 15, 2025 17:40:08.777861118 CET	52415	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.778681040 CET	445	52416	148.190.179.2	192.168.2.4
Jan 15, 2025 17:40:08.778743029 CET	52416	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.778772116 CET	52416	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:08.783580065 CET	445	52416	148.190.179.2	192.168.2.4
Jan 15, 2025 17:40:09.557775974 CET	52430	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:09.562853098 CET	445	52430	39.117.145.1	192.168.2.4
Jan 15, 2025 17:40:09.565308094 CET	52430	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:09.565340042 CET	52430	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:09.570242882 CET	445	52430	39.117.145.1	192.168.2.4
Jan 15, 2025 17:40:10.444370031 CET	445	52319	89.237.246.1	192.168.2.4
Jan 15, 2025 17:40:10.444453955 CET	52319	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:10.444499969 CET	52319	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:10.444528103 CET	52319	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:10.449421883 CET	445	52319	89.237.246.1	192.168.2.4
Jan 15, 2025 17:40:10.449454069 CET	445	52319	89.237.246.1	192.168.2.4
Jan 15, 2025 17:40:10.697268009 CET	445	52320	16.122.44.1	192.168.2.4
Jan 15, 2025 17:40:10.697323084 CET	52320	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:40:10.697344065 CET	52320	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:40:10.697376013 CET	52320	445	192.168.2.4	16.122.44.1
Jan 15, 2025 17:40:10.702238083 CET	445	52320	16.122.44.1	192.168.2.4
Jan 15, 2025 17:40:10.702253103 CET	445	52320	16.122.44.1	192.168.2.4
Jan 15, 2025 17:40:10.761071920 CET	52452	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.765938044 CET	445	52452	16.122.44.2	192.168.2.4
Jan 15, 2025 17:40:10.766016006 CET	52452	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.766096115 CET	52452	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.766432047 CET	52453	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.771207094 CET	445	52452	16.122.44.2	192.168.2.4
Jan 15, 2025 17:40:10.771223068 CET	445	52453	16.122.44.2	192.168.2.4
Jan 15, 2025 17:40:10.771264076 CET	52452	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.771291018 CET	52453	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.771323919 CET	52453	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:10.776067019 CET	445	52453	16.122.44.2	192.168.2.4
Jan 15, 2025 17:40:11.557873011 CET	52465	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:11.562704086 CET	445	52465	25.8.63.1	192.168.2.4
Jan 15, 2025 17:40:11.564191103 CET	52465	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:11.564191103 CET	52465	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:11.568937063 CET	445	52465	25.8.63.1	192.168.2.4
Jan 15, 2025 17:40:12.215342045 CET	445	52323	93.83.4.1	192.168.2.4
Jan 15, 2025 17:40:12.215434074 CET	52323	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:40:12.215516090 CET	52323	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:40:12.215516090 CET	52323	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:40:12.220406055 CET	445	52323	93.83.4.1	192.168.2.4
Jan 15, 2025 17:40:12.220416069 CET	445	52323	93.83.4.1	192.168.2.4
Jan 15, 2025 17:40:12.745182037 CET	445	52324	175.138.214.1	192.168.2.4
Jan 15, 2025 17:40:12.745265961 CET	52324	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:40:12.745335102 CET	52324	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:40:12.745361090 CET	52324	445	192.168.2.4	175.138.214.1
Jan 15, 2025 17:40:12.750174999 CET	445	52324	175.138.214.1	192.168.2.4
Jan 15, 2025 17:40:12.750188112 CET	445	52324	175.138.214.1	192.168.2.4
Jan 15, 2025 17:40:12.808041096 CET	52495	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.812942982 CET	445	52495	175.138.214.2	192.168.2.4
Jan 15, 2025 17:40:12.812995911 CET	52495	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.813088894 CET	52495	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.813360929 CET	52496	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.818016052 CET	445	52495	175.138.214.2	192.168.2.4
Jan 15, 2025 17:40:12.818089962 CET	445	52496	175.138.214.2	192.168.2.4
Jan 15, 2025 17:40:12.818130970 CET	52495	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.818151951 CET	52496	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.818181038 CET	52496	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:12.822926044 CET	445	52496	175.138.214.2	192.168.2.4
Jan 15, 2025 17:40:13.448421001 CET	52514	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:13.807601929 CET	49724	80	192.168.2.4	199.232.214.172
Jan 15, 2025 17:40:14.120388985 CET	49724	80	192.168.2.4	199.232.214.172
Jan 15, 2025 17:40:14.181375980 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:40:14.181432009 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:40:14.181466103 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:40:14.181468964 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:40:14.181504011 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:40:14.181530952 CET	52327	445	192.168.2.4	161.183.110.1
Jan 15, 2025 17:40:14.183069944 CET	445	52514	89.237.246.1	192.168.2.4
Jan 15, 2025 17:40:14.183082104 CET	80	49724	199.232.214.172	192.168.2.4
Jan 15, 2025 17:40:14.183094025 CET	80	49724	199.232.214.172	192.168.2.4
Jan 15, 2025 17:40:14.183140993 CET	52514	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:14.183172941 CET	49724	80	192.168.2.4	199.232.214.172
Jan 15, 2025 17:40:14.183221102 CET	52514	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:14.189697981 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:40:14.189707994 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:40:14.189718008 CET	445	52327	161.183.110.1	192.168.2.4
Jan 15, 2025 17:40:14.189744949 CET	445	52514	89.237.246.1	192.168.2.4
Jan 15, 2025 17:40:14.756177902 CET	445	52328	47.235.125.1	192.168.2.4
Jan 15, 2025 17:40:14.756232023 CET	52328	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:40:14.756266117 CET	52328	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:40:14.756313086 CET	52328	445	192.168.2.4	47.235.125.1
Jan 15, 2025 17:40:14.761104107 CET	445	52328	47.235.125.1	192.168.2.4
Jan 15, 2025 17:40:14.761116028 CET	445	52328	47.235.125.1	192.168.2.4
Jan 15, 2025 17:40:14.810215950 CET	52560	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.815077066 CET	445	52560	47.235.125.2	192.168.2.4
Jan 15, 2025 17:40:14.815165997 CET	52560	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.815232038 CET	52560	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.815474987 CET	52561	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.820190907 CET	445	52561	47.235.125.2	192.168.2.4
Jan 15, 2025 17:40:14.820250034 CET	52561	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.820282936 CET	52561	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.820307970 CET	445	52560	47.235.125.2	192.168.2.4
Jan 15, 2025 17:40:14.820410967 CET	52560	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:14.825006008 CET	445	52561	47.235.125.2	192.168.2.4
Jan 15, 2025 17:40:15.229517937 CET	52584	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:40:15.418719053 CET	445	52331	155.214.228.1	192.168.2.4
Jan 15, 2025 17:40:15.418906927 CET	52331	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:40:15.418955088 CET	52331	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:40:15.418955088 CET	52331	445	192.168.2.4	155.214.228.1
Jan 15, 2025 17:40:15.419789076 CET	445	52584	93.83.4.1	192.168.2.4
Jan 15, 2025 17:40:15.419945002 CET	52584	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:40:15.420027971 CET	52584	445	192.168.2.4	93.83.4.1
Jan 15, 2025 17:40:15.424663067 CET	445	52331	155.214.228.1	192.168.2.4
Jan 15, 2025 17:40:15.424671888 CET	445	52331	155.214.228.1	192.168.2.4
Jan 15, 2025 17:40:15.425621033 CET	445	52584	93.83.4.1	192.168.2.4
Jan 15, 2025 17:40:16.788027048 CET	445	52334	212.25.241.1	192.168.2.4
Jan 15, 2025 17:40:16.788104057 CET	52334	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:40:16.959922075 CET	445	52335	188.158.166.1	192.168.2.4
Jan 15, 2025 17:40:16.960089922 CET	52335	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:40:17.176862955 CET	52496	445	192.168.2.4	175.138.214.2
Jan 15, 2025 17:40:17.176976919 CET	52453	445	192.168.2.4	16.122.44.2
Jan 15, 2025 17:40:17.177071095 CET	52416	445	192.168.2.4	148.190.179.2
Jan 15, 2025 17:40:17.177083015 CET	52367	445	192.168.2.4	54.76.228.1
Jan 15, 2025 17:40:17.177083015 CET	52373	445	192.168.2.4	165.36.191.2
Jan 15, 2025 17:40:17.177151918 CET	52561	445	192.168.2.4	47.235.125.2
Jan 15, 2025 17:40:17.177151918 CET	52348	445	192.168.2.4	36.60.110.1
Jan 15, 2025 17:40:17.177175999 CET	52335	445	192.168.2.4	188.158.166.1
Jan 15, 2025 17:40:17.177175999 CET	52334	445	192.168.2.4	212.25.241.1
Jan 15, 2025 17:40:17.177248001 CET	52339	445	192.168.2.4	52.105.25.1
Jan 15, 2025 17:40:17.177258015 CET	52338	445	192.168.2.4	92.29.141.1
Jan 15, 2025 17:40:17.177290916 CET	52344	445	192.168.2.4	29.177.137.2
Jan 15, 2025 17:40:17.177311897 CET	52342	445	192.168.2.4	209.12.10.1
Jan 15, 2025 17:40:17.177311897 CET	52347	445	192.168.2.4	41.209.109.1
Jan 15, 2025 17:40:17.177315950 CET	52351	445	192.168.2.4	61.126.105.1
Jan 15, 2025 17:40:17.177357912 CET	52353	445	192.168.2.4	115.22.22.2
Jan 15, 2025 17:40:17.177362919 CET	52356	445	192.168.2.4	214.105.233.1
Jan 15, 2025 17:40:17.177385092 CET	52360	445	192.168.2.4	130.190.236.1
Jan 15, 2025 17:40:17.177405119 CET	52357	445	192.168.2.4	32.240.226.1
Jan 15, 2025 17:40:17.177464008 CET	52366	445	192.168.2.4	16.105.17.1
Jan 15, 2025 17:40:17.177469015 CET	52362	445	192.168.2.4	76.56.126.2
Jan 15, 2025 17:40:17.177505016 CET	52371	445	192.168.2.4	83.110.238.1
Jan 15, 2025 17:40:17.177514076 CET	52376	445	192.168.2.4	206.193.176.1
Jan 15, 2025 17:40:17.177534103 CET	52383	445	192.168.2.4	24.81.53.1
Jan 15, 2025 17:40:17.177534103 CET	52396	445	192.168.2.4	40.55.118.2
Jan 15, 2025 17:40:17.177587986 CET	52430	445	192.168.2.4	39.117.145.1
Jan 15, 2025 17:40:17.177644968 CET	52403	445	192.168.2.4	97.219.176.1
Jan 15, 2025 17:40:17.177644968 CET	52465	445	192.168.2.4	25.8.63.1
Jan 15, 2025 17:40:17.177654028 CET	52514	445	192.168.2.4	89.237.246.1
Jan 15, 2025 17:40:17.177834988 CET	52584	445	192.168.2.4	93.83.4.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:39:09.509358883 CET	63260	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:39:09.820863008 CET	53	63260	1.1.1.1	192.168.2.4
Jan 15, 2025 17:39:10.449203968 CET	58124	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:39:10.997303963 CET	53	58124	1.1.1.1	192.168.2.4
Jan 15, 2025 17:39:25.392129898 CET	138	138	192.168.2.4	192.168.2.255
Jan 15, 2025 17:39:26.127060890 CET	53	57189	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 17:39:09.509358883 CET	192.168.2.4	1.1.1.1	0xc9e0	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:39:10.449203968 CET	192.168.2.4	1.1.1.1	0x2140	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 17:39:09.820863008 CET	1.1.1.1	192.168.2.4	0xc9e0	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:39:10.997303963 CET	1.1.1.1	192.168.2.4	0x2140	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 17:39:10.997303963 CET	1.1.1.1	192.168.2.4	0x2140	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	103.224.212.215	80	6952	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:39:09.831712008 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:39:10.442640066 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:39:10 GMT server: Apache set-cookie: __tad=1736959150.4303657; expires=Sat, 13-Jan-2035 16:39:10 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111ddf5 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	199.59.243.228	80	6952	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:39:11.010627031 CET	169	OUT	GET /?subid1=20250116-0339-10de-bd4f-b194c111ddf5 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:39:11.495743990 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:39:10 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: c8e9fa67-ff38-48a4-b918-ac053a75dcf3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aL6FuBRg7eFkQFqTBKbiel+9AFiavYOalUs/fE77S0t1DYiFLt9xmlwlPPanLpV/ptGt1xo5vqLgmYraLoP40g== set-cookie: parking_session=c8e9fa67-ff38-48a4-b918-ac053a75dcf3; expires=Wed, 15 Jan 2025 16:54:11 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 4c 36 46 75 42 52 67 37 65 46 6b 51 46 71 54 42 4b 62 69 65 6c 2b 39 41 46 69 61 76 59 4f 61 6c 55 73 2f 66 45 37 37 53 30 74 31 44 59 69 46 4c 74 39 78 6d 6c 77 6c 50 50 61 6e 4c 70 56 2f 70 74 47 74 31 78 6f 35 76 71 4c 67 6d 59 72 61 4c 6f 50 34 30 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aL6FuBRg7eFkQFqTBKbiel+9AFiavYOalUs/fE77S0t1DYiFLt9xmlwlPPanLpV/ptGt1xo5vqLgmYraLoP40g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:39:11.495795965 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzhlOWZhNjctZmYzOC00OGE0LWI5MTgtYWMwNTNhNzVkY2YzIiwicGFnZV90aW1lIjoxNzM2OTU5MTUxLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	103.224.212.215	80	7128	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:39:11.680569887 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:39:12.306335926 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:39:12 GMT server: Apache set-cookie: __tad=1736959152.3008085; expires=Sat, 13-Jan-2035 16:39:12 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef804 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	199.59.243.228	80	7128	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:39:12.319102049 CET	169	OUT	GET /?subid1=20250116-0339-12e8-a7c6-ba11581ef804 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:39:12.802174091 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:39:12 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 6f78de3c-df38-43f4-bbfb-bbf332c163c4 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_V0lphZQRRvWUWORx4k8GOeiW/0pfCUFPJla/Si8JTWAkTt+LUOuyKb/Ug6sUfbawgfqYF/tHJ2eEqp8y5iVamA== set-cookie: parking_session=6f78de3c-df38-43f4-bbfb-bbf332c163c4; expires=Wed, 15 Jan 2025 16:54:12 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 30 6c 70 68 5a 51 52 52 76 57 55 57 4f 52 78 34 6b 38 47 4f 65 69 57 2f 30 70 66 43 55 46 50 4a 6c 61 2f 53 69 38 4a 54 57 41 6b 54 74 2b 4c 55 4f 75 79 4b 62 2f 55 67 36 73 55 66 62 61 77 67 66 71 59 46 2f 74 48 4a 32 65 45 71 70 38 79 35 69 56 61 6d 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_V0lphZQRRvWUWORx4k8GOeiW/0pfCUFPJla/Si8JTWAkTt+LUOuyKb/Ug6sUfbawgfqYF/tHJ2eEqp8y5iVamA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:39:12.802228928 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmY3OGRlM2MtZGYzOC00M2Y0LWJiZmItYmJmMzMyYzE2M2M0IiwicGFnZV90aW1lIjoxNzM2OTU5MTUyLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	103.224.212.215	80	5244	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:39:12.324337959 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736959150.4303657
Jan 15, 2025 17:39:12.943775892 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:39:12 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283ae8 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	199.59.243.228	80	5244	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:39:12.952877998 CET	231	OUT	GET /?subid1=20250116-0339-12ec-b81e-7c389c283ae8 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=c8e9fa67-ff38-48a4-b918-ac053a75dcf3
Jan 15, 2025 17:39:13.428018093 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:39:12 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 5565d711-11d4-47f6-a32c-4dba586750a1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xdP9nEOE76lfl7rTwLnhfZgb/deQxas/PqviC9PYIZsCYnhmqjOdM8SwBpAMa4/+BAF/NyUE9ocGNKMXE8yvBA== set-cookie: parking_session=c8e9fa67-ff38-48a4-b918-ac053a75dcf3; expires=Wed, 15 Jan 2025 16:54:13 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 78 64 50 39 6e 45 4f 45 37 36 6c 66 6c 37 72 54 77 4c 6e 68 66 5a 67 62 2f 64 65 51 78 61 73 2f 50 71 76 69 43 39 50 59 49 5a 73 43 59 6e 68 6d 71 6a 4f 64 4d 38 53 77 42 70 41 4d 61 34 2f 2b 42 41 46 2f 4e 79 55 45 39 6f 63 47 4e 4b 4d 58 45 38 79 76 42 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xdP9nEOE76lfl7rTwLnhfZgb/deQxas/PqviC9PYIZsCYnhmqjOdM8SwBpAMa4/+BAF/NyUE9ocGNKMXE8yvBA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 17:39:13.428070068 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzhlOWZhNjctZmYzOC00OGE0LWI5MTgtYWMwNTNhNzVkY2YzIiwicGFnZV90aW1lIjoxNzM2OTU5MTUzLCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	11:39:08
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll"
Imagebase:	0xbc0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:39:08
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:39:08
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:39:08
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\q4e7rZQEkL.dll,PlayGame
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:39:08
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",#1
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:39:08
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	EDF4881B12065F814C90F9DC71BE9B62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1725170395.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1725354645.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.1725354645.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:39:10
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	EDF4881B12065F814C90F9DC71BE9B62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1747794261.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2397891299.0000000002272000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2397891299.0000000002272000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1747920345.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1747920345.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2397614773.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2397614773.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:39:11
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\q4e7rZQEkL.dll",PlayGame
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:39:11
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	EDF4881B12065F814C90F9DC71BE9B62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1766760488.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1766902808.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.1766902808.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1753881608.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1754163167.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1754163167.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA

Memory Dump Source

Source File: 00000005.00000002.1761569667.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1761514755.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761611904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761755765.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.1761569667.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1761514755.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761611904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761755765.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.1761569667.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1761514755.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761611904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761755765.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000005.00000002.1761569667.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1761514755.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761611904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761755765.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.1761569667.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1761514755.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761611904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761755765.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1761855070.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7128, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2396743267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396726903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396759162.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396822642.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396838715.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2396743267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396726903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396759162.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396822642.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396838715.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000006.00000002.2396743267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396726903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396759162.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396822642.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396838715.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
CloseHandle, xrefs: 00407D29
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000006.00000002.2396743267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396726903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396759162.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396822642.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396838715.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2396743267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2396726903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396759162.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396772748.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396822642.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396838715.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.0000000000854000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2396921648.00000000008BE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283ae8	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef804	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111ddf5	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef8	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111dd	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283a	Avira URL Cloud: Label: malware

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0339-10de-bd4f-b194c111ddf5 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0339-12e8-a7c6-ba11581ef804 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959150.4303657
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0339-12ec-b81e-7c389c283ae8 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=c8e9fa67-ff38-48a4-b918-ac053a75dcf3

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 103.224.212.215:80

Source: q4e7rZQEkL.dll	Virustotal: Detection: 90%			Perma Link
Source: q4e7rZQEkL.dll	ReversingLabs: Detection: 92%

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.195
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.195
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.195
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.195
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 29.177.137.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.52
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.52
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.52
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.52
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.22.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.70
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.70
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.70
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.70
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 76.56.126.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.176
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.176
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.176
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.176
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.55.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 40.55.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 40.55.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 40.55.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.55.118.162

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.1762491581.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-10de-bd4f-b194c111dd
Source: mssecsvr.exe, 00000006.00000003.1760599617.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000003.1760599617.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2397277086.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12e8-a7c6-ba11581ef8
Source: mssecsvr.exe, 00000008.00000002.1767669227.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0339-12ec-b81e-7c389c283a
Source: q4e7rZQEkL.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2397277086.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.1767669227.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/4
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/d
Source: mssecsvr.exe, 00000008.00000002.1767669227.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/j
Source: mssecsvr.exe, 00000008.00000002.1767669227.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/o
Source: mssecsvr.exe, 00000008.00000002.1767669227.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w
Source: mssecsvr.exe, 00000005.00000002.1762491581.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comD
Source: mssecsvr.exe, 00000006.00000002.2396694620.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: Yara match	File source: q4e7rZQEkL.dll, type: SAMPLE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.229596c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d76128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d53104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d44084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.2272948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.22638c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.229596c.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d76128.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.226e8e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d53104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.1d4f0a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.2272948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1766760488.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1761648202.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2396808946.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1725170395.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1725354645.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1747794261.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1766902808.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1753881608.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2397891299.0000000002272000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1747920345.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1754163167.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2397614773.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5244, type: MEMORYSTR

Source: q4e7rZQEkL.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: q4e7rZQEkL.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d44084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.229596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.229596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.229596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.1d76128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d76128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d76128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.1d53104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d53104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.1d53104.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.22638c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d44084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d44084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.2272948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.2272948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.2272948.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.22638c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.22638c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.229596c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.229596c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.229596c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.1d76128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d76128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d76128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvr.exe.226e8e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.226e8e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d53104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d53104.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.1d4f0a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.1d4f0a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.2272948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.2272948.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.1761855070.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.1725354645.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.1766902808.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2397891299.0000000002272000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2396921648.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1747920345.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1754163167.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2397614773.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report q4e7rZQEkL.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
q4e7rZQEkL.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre