Edit tour

Windows Analysis Report
1U9rHEz9Rg.dll

Overview

General Information

Sample name:	1U9rHEz9Rg.dll renamed because original name is a hash value
Original sample name:	ad31ca449f285250368196306a8ad77a.dll
Analysis ID:	1592130
MD5:	ad31ca449f285250368196306a8ad77a
SHA1:	abefa604d54027fac646df910a9ecbc462b01ec2
SHA256:	962caf150b14b5804de96484e8b911f93fcb26ab11f7e713d3f0c02a211c2577
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7356 cmdline: loaddll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7416 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7464 cmdline: rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7496 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 1DA4AA17D6682E2224513E559E86D658)

rundll32.exe (PID: 7424 cmdline: rundll32.exe C:\Users\user\Desktop\1U9rHEz9Rg.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7612 cmdline: rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7632 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 1DA4AA17D6682E2224513E559E86D658)

mssecsvc.exe (PID: 7604 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 1DA4AA17D6682E2224513E559E86D658)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1U9rHEz9Rg.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1U9rHEz9Rg.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1U9rHEz9Rg.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1395551943.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1414303371.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1392320862.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1365666506.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 7496	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7604	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7632	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.23da8c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1ea8084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.240c96c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvc.exe.240c96c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eda128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvc.exe.1eda128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eda128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eda128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.1eda128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.240c96c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.240c96c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.240c96c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.23e9948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e9948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.23e9948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.23e9948.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eb7104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb7104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.1eb7104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1eb7104.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.23da8c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23da8c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.23da8c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1ea8084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1ea8084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x295de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x285bb0:$x3: tasksche.exe 0x295dc0:$x3: tasksche.exe 0x295d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x295e14:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x25026c:$x7: mssecsvc.exe 0x26bb94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x285b88:$x8: C:\%s\qeriuwjhrf 0x295de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x250254:$s1: C:\%s\%s 0x26bb7c:$s1: C:\%s\%s 0x285b9c:$s1: C:\%s\%s 0x295d14:$s3: cmd.exe /c "%s" 0x2c8268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x282ed0:$s5: \\192.168.56.20\IPC$
8.2.mssecsvc.exe.1ea8084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1ea8084.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x295dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x295de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.23e9948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e9948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.23e9948.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eb30a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb30a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.1eb30a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.23e58e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e58e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.23e58e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eb7104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb7104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.1eb7104.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 88 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:59:06.541815+0100	2803304	3	Unknown Traffic	192.168.2.9	49742	103.224.212.215	80	TCP
2025-01-15T19:59:08.330079+0100	2803304	3	Unknown Traffic	192.168.2.9	49753	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:59:05.511684+0100	2830018	1	A Network Trojan was detected	192.168.2.9	53313	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1U9rHEz9Rg.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/U(	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c918b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354a7	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/V	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062af	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c91	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/F	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\mssecsvc.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 100%
Source: C:\Windows\mssecsvc.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: 1U9rHEz9Rg.dll	Virustotal: Detection: 87%			Perma Link
Source: 1U9rHEz9Rg.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected
Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1U9rHEz9Rg.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: 1U9rHEz9Rg.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.9:53313 -> 1.1.1.1:53

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0559-0613-ae2f-1ca90d9c918b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0559-089c-93ee-f812d32354a7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736967546.4825785
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0559-0897-b8cc-09a3c53062af HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=ad8299c7-89ff-4ec2-bbe2-55e27823d865

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49742 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49753 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.50
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.50
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.50
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.50
Source: unknown	TCP traffic detected without corresponding DNS query: 42.230.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.162
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.162
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.162
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.162
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.75.188.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.42
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.42
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.42
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.42
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.32.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 188.195.139.41
Source: unknown	TCP traffic detected without corresponding DNS query: 188.195.139.41
Source: unknown	TCP traffic detected without corresponding DNS query: 188.195.139.41
Source: unknown	TCP traffic detected without corresponding DNS query: 188.195.139.1
Source: unknown	TCP traffic detected without corresponding DNS query: 188.195.139.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0559-0613-ae2f-1ca90d9c918b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0559-089c-93ee-f812d32354a7 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736967546.4825785
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0559-0897-b8cc-09a3c53062af HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=ad8299c7-89ff-4ec2-bbe2-55e27823d865

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvc.exe, 00000006.00000002.1408503031.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvc.exe, 00000006.00000002.1408503031.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1408503031.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c91
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000003.1413516723.0000000000C39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062
Source: mssecsvc.exe, 00000008.00000002.2046685688.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000003.1407663417.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2046685688.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/F
Source: mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/U(
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/V
Source: mssecsvc.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvc.exe, 00000006.00000002.1408503031.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com.?
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Y
Source: mssecsvc.exe, 00000008.00000002.2046038121.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comr

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: 1U9rHEz9Rg.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eda128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.240c96c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23da8c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e9948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb30a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e58e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb7104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1395551943.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1414303371.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1392320862.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1365666506.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 1U9rHEz9Rg.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1U9rHEz9Rg.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.23da8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ea8084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.240c96c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240c96c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eda128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eda128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eda128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eda128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.240c96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240c96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.23da8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23da8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.23e9948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e9948.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eb30a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb30a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.23e58e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e58e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eb7104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb7104.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: mssecsvc.exe.4.dr

Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: tasksche.exe.6.dr

Static PE information: No import functions for PE file found

Source: 1U9rHEz9Rg.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 1U9rHEz9Rg.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1U9rHEz9Rg.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.23da8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ea8084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.240c96c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240c96c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eda128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eda128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eda128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eda128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.240c96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240c96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.23e9948.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1eb7104.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.23da8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23da8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1ea8084.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.23e9948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e9948.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eb30a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb30a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.23e58e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e58e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eb7104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb7104.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: 1U9rHEz9Rg.dll, tasksche.exe.6.dr, mssecsvc.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/3@2/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03

Source: 1U9rHEz9Rg.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1U9rHEz9Rg.dll,PlayGame

Source: 1U9rHEz9Rg.dll	Virustotal: Detection: 87%
Source: 1U9rHEz9Rg.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1U9rHEz9Rg.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1U9rHEz9Rg.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 1U9rHEz9Rg.dll

Static file information: File size 5267459 > 1048576

Source: 1U9rHEz9Rg.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.616414583309269

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvc.exe

Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe TID: 7732	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7732	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7736	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7736	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7732	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(=
Source: mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs
Source: mssecsvc.exe, 00000006.00000002.1408503031.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1408503031.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000003.1407663417.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2046685688.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1414815496.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvc.exe, 00000008.00000003.1407663417.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2046685688.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1U9rHEz9Rg.dll	88%	Virustotal		Browse
1U9rHEz9Rg.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
1U9rHEz9Rg.dll	100%	Avira	TR/AD.WannaCry.pskpy
1U9rHEz9Rg.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvc.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvc.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/U(	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c918b	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comr	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354a7	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/V	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com.?	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062af	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c91	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/F	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c918b	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354a7	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062af	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/U(	mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354	mssecsvc.exe, 00000008.00000002.2046685688.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000003.1407663417.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2046685688.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvc.exe, 00000006.00000002.1408503031.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mssecsvc.exe.4.dr	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/V	mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062	mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000003.1413516723.0000000000C39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comr	mssecsvc.exe, 0000000A.00000002.1414815496.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com.?	mssecsvc.exe, 00000006.00000002.1408503031.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c91	mssecsvc.exe, 00000006.00000002.1408503031.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1408503031.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvc.exe, 00000008.00000002.2046038121.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Y	mssecsvc.exe, 0000000A.00000002.1414815496.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/F	mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2	mssecsvc.exe, 00000008.00000002.2046685688.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	mssecsvc.exe, 0000000A.00000002.1414815496.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
88.10.108.201	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
201.41.62.1	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
16.102.172.174	unknown	United States	unknown	unknown	false
42.230.216.50	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
164.135.40.116	unknown	Sweden	51551	CAPITA-ASGB	false
107.43.37.133	unknown	United States	16567	NETRIX-16567US	false
107.43.37.1	unknown	United States	16567	NETRIX-16567US	false
42.230.216.2	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
42.230.216.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
40.72.68.1	unknown	China	58593	BLUECLOUDShanghaiBlueCloudTechnologyCoLtdCN	false
143.249.87.243	unknown	United States	1781	KAIST-DAEJEON-AS-KRKoreaAdvancedInstituteofScienceand	false
67.221.200.130	unknown	United States	62943	AS62943-BLUEBIRD-NETWORKUS	false
185.184.157.183	unknown	United Kingdom	62217	VOOSERVERSGB	false
188.195.139.41	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
36.17.33.2	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
36.17.33.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
188.75.188.2	unknown	Czech Republic	196735	AS-JONCZjakubjonczCZ	false
188.75.188.1	unknown	Czech Republic	196735	AS-JONCZjakubjonczCZ	false
36.17.33.46	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
82.250.219.1	unknown	France	12322	PROXADFR	false
208.156.168.1	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
10.200.100.1
10.200.100.2
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592130
Start date and time:	2025-01-15 19:58:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1U9rHEz9Rg.dll renamed because original name is a hash value
Original Sample Name:	ad31ca449f285250368196306a8ad77a.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/3@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:59:06	API Interceptor	1x Sleep call for process: loaddll32.exe modified
13:59:42	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://52f1897b.5648702dd4d5255cab645104.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Order.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Order.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Order.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	random.exe	Get hash	malicious	LiteHTTP Bot	Browse	13.107.246.45
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	13.107.246.45
	Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3D	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://shunnarah.com/attorney/candace-t-brown	Get hash	malicious	Unknown	Browse	13.107.246.45
77026.bodis.com	QQE81XYXon.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	QQE81XYXon.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEFONICA_DE_ESPANAES	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	2.139.197.109
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	88.9.29.176
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	88.2.210.139
	xd.arm.elf	Get hash	malicious	Mirai	Browse	80.27.58.247
	mpsl.elf	Get hash	malicious	Mirai	Browse	81.39.167.31
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	79.149.62.181
	meth3.elf	Get hash	malicious	Mirai	Browse	80.37.247.26
	meth1.elf	Get hash	malicious	Mirai	Browse	195.55.237.236
	arm4.elf	Get hash	malicious	Unknown	Browse	79.157.112.164
	spc.elf	Get hash	malicious	Unknown	Browse	81.39.143.76
BrasilTelecomSA-FilialDistritoFederalBR	arm5.elf	Get hash	malicious	Mirai	Browse	201.67.116.232
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	201.35.38.199
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	189.11.80.74
	mips.elf	Get hash	malicious	Mirai	Browse	179.255.153.190
	m68k.elf	Get hash	malicious	Unknown	Browse	191.222.20.48
	meth4.elf	Get hash	malicious	Mirai	Browse	200.215.49.3
	x86_64.elf	Get hash	malicious	Unknown	Browse	187.5.92.93
	mips.elf	Get hash	malicious	Unknown	Browse	187.5.168.43
	res.arm5.elf	Get hash	malicious	Unknown	Browse	177.5.1.129
	6.elf	Get hash	malicious	Unknown	Browse	200.96.249.8
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	119.163.139.1
	bot.x86.elf	Get hash	malicious	Unknown	Browse	218.12.108.24
	bot.spc.elf	Get hash	malicious	Unknown	Browse	120.13.105.98
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	1.58.95.53
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	182.127.195.47
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	110.53.232.223
	bot.arm.elf	Get hash	malicious	Unknown	Browse	112.234.116.161
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	123.190.80.3
	i686.elf	Get hash	malicious	Mirai	Browse	175.19.79.106
	i486.elf	Get hash	malicious	Mirai	Browse	112.249.78.89

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.99213314060892
Encrypted:	true
SSDEEP:	49152:hqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:hqPoBhz1aRxcSUDk36SAEdhvm
MD5:	4CF1595972413914EE36C92584DA1C4F
SHA1:	2106CA6DDE83CA404EF9B00D998FD8B58628E3FB
SHA-256:	156CAE52162F94349AD25C4C2833769B20290AA5E48109479E8DD035B094F8BD
SHA-512:	08C5068F30C09E0941C60521ECBE69F4BE537DB3ADAAE47026E903F8466067347FCD522F37E9D56C464D0913F3B008038BBA1D0FC83637BA0E176BD24FCEDB9B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3723264
Entropy (8bit):	6.030842406453329
Encrypted:	false
SSDEEP:	49152:2n+qMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:y+qPoBhz1aRxcSUDk36SAEdhvxWa9
MD5:	1DA4AA17D6682E2224513E559E86D658
SHA1:	435B8D0AFB90A66BC63EAF9FDB5B1CE27D56DACD
SHA-256:	63500B6A365A6E688AFECDF632EA399B6E80529C17D292F1F1839A1C26DFED3D
SHA-512:	BF6993555E3F9AD33EF275DB233E80BAF7DDF5F66C288FCA2CF9CBC24AD6716DF50F987A987D1C6ABBD851BCC7CB29263C80FE0E43AE9E9EA4C0F9235224A89F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.99213314060892
Encrypted:	true
SSDEEP:	49152:hqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:hqPoBhz1aRxcSUDk36SAEdhvm
MD5:	4CF1595972413914EE36C92584DA1C4F
SHA1:	2106CA6DDE83CA404EF9B00D998FD8B58628E3FB
SHA-256:	156CAE52162F94349AD25C4C2833769B20290AA5E48109479E8DD035B094F8BD
SHA-512:	08C5068F30C09E0941C60521ECBE69F4BE537DB3ADAAE47026E903F8466067347FCD522F37E9D56C464D0913F3B008038BBA1D0FC83637BA0E176BD24FCEDB9B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.589104819256542
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1U9rHEz9Rg.dll
File size:	5'267'459 bytes
MD5:	ad31ca449f285250368196306a8ad77a
SHA1:	abefa604d54027fac646df910a9ecbc462b01ec2
SHA256:	962caf150b14b5804de96484e8b911f93fcb26ab11f7e713d3f0c02a211c2577
SHA512:	57700c858fd9f1b3bea65af6a75fc9770a8b7b98ae195b3d53d62a4d315012ea28cc28a4e2e7dc55e137e5611cf049f0cfe4ffc6110e3bfe22a437cb52af7c15
SSDEEP:	49152:Sn+qMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:++qPoBhz1aRxcSUDk36SAEdhvxWa9
TLSH:	2536339871BC91FCD20619B444A7CA52F2B23C6966FE6E0F9B4049761D03B5AFB90F43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F643472C7DBh
cmp dword ptr [10003140h], 00000000h
jmp 00007F643472C7F8h
cmp esi, 01h
je 00007F643472C7D7h
cmp esi, 02h
jne 00007F643472C7F4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F643472C7DBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F643472C7DEh
push edi
push esi
push ebx
call 00007F643472C6EAh
test eax, eax
jne 00007F643472C7D6h
xor eax, eax
jmp 00007F643472C820h
push edi
push esi
push ebx
call 00007F643472C59Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F643472C7DEh
test eax, eax
jne 00007F643472C809h
push edi
push eax
push ebx
call 00007F643472C6C6h
test esi, esi
je 00007F643472C7D7h
cmp esi, 03h
jne 00007F643472C7F8h
push edi
push esi
push ebx
call 00007F643472C6B5h
test eax, eax
jne 00007F643472C7D5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F643472C7E3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F643472C7DAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	3ddc8bfc0e0e4fab84bc26b30746cd54	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8785982131958008

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T19:59:05.511684+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.9	53313	1.1.1.1	53	UDP
2025-01-15T19:59:06.541815+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49742	103.224.212.215	80	TCP
2025-01-15T19:59:08.330079+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49753	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 19:58:57.214086056 CET	49677	443	192.168.2.9	20.189.173.11
Jan 15, 2025 19:58:59.370254993 CET	49676	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:58:59.370281935 CET	49675	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:58:59.604712009 CET	49674	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:58:59.620378017 CET	49677	443	192.168.2.9	20.189.173.11
Jan 15, 2025 19:59:04.432801962 CET	49677	443	192.168.2.9	20.189.173.11
Jan 15, 2025 19:59:05.635850906 CET	49673	443	192.168.2.9	204.79.197.203
Jan 15, 2025 19:59:05.824378014 CET	49742	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:05.829217911 CET	80	49742	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:05.829319954 CET	49742	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:05.829505920 CET	49742	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:05.834260941 CET	80	49742	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:06.541752100 CET	80	49742	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:06.541815042 CET	49742	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:06.541872978 CET	80	49742	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:06.541915894 CET	49742	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:06.548531055 CET	49742	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:06.553333044 CET	80	49742	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:06.881330013 CET	49748	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:06.886117935 CET	80	49748	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:06.886200905 CET	49748	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:06.886321068 CET	49748	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:06.891151905 CET	80	49748	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:07.348448038 CET	80	49748	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:07.348469019 CET	80	49748	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:07.348535061 CET	49748	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:07.353758097 CET	49748	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:07.353785992 CET	49748	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:07.721349955 CET	49753	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:07.726155043 CET	80	49753	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:07.726239920 CET	49753	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:07.734153032 CET	49753	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:07.738944054 CET	80	49753	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:08.329915047 CET	80	49753	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:08.329932928 CET	80	49753	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:08.330079079 CET	49753	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:08.330079079 CET	49753	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:08.377758980 CET	49753	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:08.379645109 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.382572889 CET	80	49753	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:08.384531975 CET	80	49757	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:08.384608984 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.424168110 CET	49758	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:08.429058075 CET	80	49758	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:08.429151058 CET	49758	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:08.533899069 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.538753033 CET	80	49757	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:08.594605923 CET	49758	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:08.599412918 CET	80	49758	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:08.848803997 CET	80	49757	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:08.848819971 CET	80	49757	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:08.848865032 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.848889112 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.856329918 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.856358051 CET	49757	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:08.933996916 CET	49763	445	192.168.2.9	42.230.216.50
Jan 15, 2025 19:59:08.938891888 CET	445	49763	42.230.216.50	192.168.2.9
Jan 15, 2025 19:59:08.938971996 CET	49763	445	192.168.2.9	42.230.216.50
Jan 15, 2025 19:59:08.939021111 CET	49763	445	192.168.2.9	42.230.216.50
Jan 15, 2025 19:59:08.944303989 CET	49764	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.945204973 CET	445	49763	42.230.216.50	192.168.2.9
Jan 15, 2025 19:59:08.949233055 CET	445	49764	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:08.949299097 CET	49764	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.950356007 CET	49764	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.951934099 CET	49765	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.956902981 CET	445	49765	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:08.956974983 CET	49765	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.957050085 CET	49765	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.957591057 CET	445	49764	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:08.961797953 CET	445	49765	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:08.975408077 CET	445	49763	42.230.216.50	192.168.2.9
Jan 15, 2025 19:59:08.975528955 CET	49763	445	192.168.2.9	42.230.216.50
Jan 15, 2025 19:59:08.978099108 CET	445	49764	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:08.978146076 CET	49764	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:08.979609013 CET	49676	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:59:08.979626894 CET	49675	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:59:09.044250965 CET	80	49758	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:09.044306993 CET	49758	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:09.044492006 CET	80	49758	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:09.044537067 CET	49758	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:09.047010899 CET	49758	80	192.168.2.9	103.224.212.215
Jan 15, 2025 19:59:09.048481941 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:09.051976919 CET	80	49758	103.224.212.215	192.168.2.9
Jan 15, 2025 19:59:09.053384066 CET	80	49769	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:09.053453922 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:09.053673029 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:09.058446884 CET	80	49769	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:09.205251932 CET	49674	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:59:09.519624949 CET	80	49769	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:09.519670963 CET	80	49769	199.59.243.228	192.168.2.9
Jan 15, 2025 19:59:09.519714117 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:09.519756079 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:09.527582884 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:09.527612925 CET	49769	80	192.168.2.9	199.59.243.228
Jan 15, 2025 19:59:10.906043053 CET	49797	445	192.168.2.9	188.75.188.162
Jan 15, 2025 19:59:10.907706022 CET	443	49704	23.206.229.209	192.168.2.9
Jan 15, 2025 19:59:10.910203934 CET	49704	443	192.168.2.9	23.206.229.209
Jan 15, 2025 19:59:10.910834074 CET	445	49797	188.75.188.162	192.168.2.9
Jan 15, 2025 19:59:10.911077976 CET	49797	445	192.168.2.9	188.75.188.162
Jan 15, 2025 19:59:10.911214113 CET	49797	445	192.168.2.9	188.75.188.162
Jan 15, 2025 19:59:10.915719032 CET	49798	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.916048050 CET	445	49797	188.75.188.162	192.168.2.9
Jan 15, 2025 19:59:10.916238070 CET	49797	445	192.168.2.9	188.75.188.162
Jan 15, 2025 19:59:10.920530081 CET	445	49798	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:10.920591116 CET	49798	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.920670986 CET	49798	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.922336102 CET	49799	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.925673008 CET	445	49798	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:10.925724030 CET	49798	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.927217960 CET	445	49799	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:10.927280903 CET	49799	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.927387953 CET	49799	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:10.932149887 CET	445	49799	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:12.918922901 CET	49832	445	192.168.2.9	79.172.32.42
Jan 15, 2025 19:59:12.923736095 CET	445	49832	79.172.32.42	192.168.2.9
Jan 15, 2025 19:59:12.923839092 CET	49832	445	192.168.2.9	79.172.32.42
Jan 15, 2025 19:59:12.923938990 CET	49832	445	192.168.2.9	79.172.32.42
Jan 15, 2025 19:59:12.924324989 CET	49833	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.928750038 CET	445	49832	79.172.32.42	192.168.2.9
Jan 15, 2025 19:59:12.928822041 CET	49832	445	192.168.2.9	79.172.32.42
Jan 15, 2025 19:59:12.929133892 CET	445	49833	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:12.929197073 CET	49833	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.929243088 CET	49833	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.930617094 CET	49834	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.934052944 CET	445	49833	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:12.934129000 CET	49833	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.935394049 CET	445	49834	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:12.935461998 CET	49834	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.935543060 CET	49834	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:12.940241098 CET	445	49834	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:14.042160034 CET	49677	443	192.168.2.9	20.189.173.11
Jan 15, 2025 19:59:14.935816050 CET	49856	445	192.168.2.9	188.195.139.41
Jan 15, 2025 19:59:14.940633059 CET	445	49856	188.195.139.41	192.168.2.9
Jan 15, 2025 19:59:14.940716028 CET	49856	445	192.168.2.9	188.195.139.41
Jan 15, 2025 19:59:14.940807104 CET	49856	445	192.168.2.9	188.195.139.41
Jan 15, 2025 19:59:14.941122055 CET	49857	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:14.945919037 CET	445	49857	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:14.945987940 CET	49857	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:14.946126938 CET	49857	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:14.947909117 CET	49858	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:14.949139118 CET	445	49856	188.195.139.41	192.168.2.9
Jan 15, 2025 19:59:14.954040051 CET	445	49858	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:14.954055071 CET	445	49857	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:14.954128981 CET	49858	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:14.954241037 CET	49858	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:14.959048986 CET	445	49858	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:14.971940041 CET	445	49856	188.195.139.41	192.168.2.9
Jan 15, 2025 19:59:14.972002029 CET	49856	445	192.168.2.9	188.195.139.41
Jan 15, 2025 19:59:14.972213030 CET	445	49857	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:14.972255945 CET	49857	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:16.950730085 CET	49879	445	192.168.2.9	10.200.100.205
Jan 15, 2025 19:59:16.955720901 CET	445	49879	10.200.100.205	192.168.2.9
Jan 15, 2025 19:59:16.955799103 CET	49879	445	192.168.2.9	10.200.100.205
Jan 15, 2025 19:59:16.955898046 CET	49879	445	192.168.2.9	10.200.100.205
Jan 15, 2025 19:59:16.956180096 CET	49880	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.961076975 CET	445	49880	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:16.961142063 CET	49880	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.961230040 CET	445	49879	10.200.100.205	192.168.2.9
Jan 15, 2025 19:59:16.961250067 CET	49880	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.963102102 CET	49881	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.968013048 CET	445	49881	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:16.968082905 CET	49881	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.968122005 CET	49881	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.970237970 CET	445	49879	10.200.100.205	192.168.2.9
Jan 15, 2025 19:59:16.970289946 CET	49879	445	192.168.2.9	10.200.100.205
Jan 15, 2025 19:59:16.970367908 CET	445	49880	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:16.970413923 CET	49880	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:16.972935915 CET	445	49881	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:18.986850023 CET	49904	445	192.168.2.9	164.135.40.116
Jan 15, 2025 19:59:18.991730928 CET	445	49904	164.135.40.116	192.168.2.9
Jan 15, 2025 19:59:18.991806030 CET	49904	445	192.168.2.9	164.135.40.116
Jan 15, 2025 19:59:18.991993904 CET	49904	445	192.168.2.9	164.135.40.116
Jan 15, 2025 19:59:18.992539883 CET	49906	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:18.996809006 CET	445	49904	164.135.40.116	192.168.2.9
Jan 15, 2025 19:59:18.996856928 CET	49904	445	192.168.2.9	164.135.40.116
Jan 15, 2025 19:59:18.997374058 CET	445	49906	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:18.997502089 CET	49906	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:18.997502089 CET	49906	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:19.002957106 CET	445	49906	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:19.003149033 CET	49906	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:19.487675905 CET	49907	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:19.492593050 CET	445	49907	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:19.492698908 CET	49907	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:19.492835999 CET	49907	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:19.497550011 CET	445	49907	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:20.999335051 CET	49926	445	192.168.2.9	160.106.135.209
Jan 15, 2025 19:59:21.004210949 CET	445	49926	160.106.135.209	192.168.2.9
Jan 15, 2025 19:59:21.007337093 CET	49926	445	192.168.2.9	160.106.135.209
Jan 15, 2025 19:59:21.009696960 CET	49926	445	192.168.2.9	160.106.135.209
Jan 15, 2025 19:59:21.009710073 CET	49927	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.014966965 CET	445	49927	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:21.014980078 CET	445	49926	160.106.135.209	192.168.2.9
Jan 15, 2025 19:59:21.015069008 CET	49927	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.015166998 CET	49927	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.015265942 CET	49926	445	192.168.2.9	160.106.135.209
Jan 15, 2025 19:59:21.015547991 CET	49928	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.020504951 CET	445	49928	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:21.020580053 CET	49928	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.020598888 CET	49928	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.021141052 CET	445	49927	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:21.021255970 CET	445	49927	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:21.021306038 CET	49927	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:21.025392056 CET	445	49928	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:23.011310101 CET	49950	445	192.168.2.9	36.17.33.46
Jan 15, 2025 19:59:23.016705036 CET	445	49950	36.17.33.46	192.168.2.9
Jan 15, 2025 19:59:23.016802073 CET	49950	445	192.168.2.9	36.17.33.46
Jan 15, 2025 19:59:23.016832113 CET	49950	445	192.168.2.9	36.17.33.46
Jan 15, 2025 19:59:23.017019987 CET	49951	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:23.021842957 CET	445	49951	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:23.021914005 CET	445	49950	36.17.33.46	192.168.2.9
Jan 15, 2025 19:59:23.022027016 CET	49950	445	192.168.2.9	36.17.33.46
Jan 15, 2025 19:59:23.022357941 CET	49952	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:23.022358894 CET	49951	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:23.027143955 CET	445	49952	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:23.027206898 CET	49952	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:23.027245045 CET	445	49951	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:23.027287960 CET	49952	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:23.027303934 CET	49951	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:23.032140970 CET	445	49952	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:25.027173042 CET	49972	445	192.168.2.9	52.2.231.109
Jan 15, 2025 19:59:25.032104969 CET	445	49972	52.2.231.109	192.168.2.9
Jan 15, 2025 19:59:25.032341003 CET	49972	445	192.168.2.9	52.2.231.109
Jan 15, 2025 19:59:25.032380104 CET	49972	445	192.168.2.9	52.2.231.109
Jan 15, 2025 19:59:25.032571077 CET	49973	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.037444115 CET	445	49973	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:25.037476063 CET	445	49972	52.2.231.109	192.168.2.9
Jan 15, 2025 19:59:25.037519932 CET	49973	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.037550926 CET	49972	445	192.168.2.9	52.2.231.109
Jan 15, 2025 19:59:25.037704945 CET	49973	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.038038969 CET	49974	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.042634010 CET	445	49973	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:25.042702913 CET	49973	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.042951107 CET	445	49974	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:25.043011904 CET	49974	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.043042898 CET	49974	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:25.047940016 CET	445	49974	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:27.042716026 CET	49997	445	192.168.2.9	88.10.108.201
Jan 15, 2025 19:59:27.047542095 CET	445	49997	88.10.108.201	192.168.2.9
Jan 15, 2025 19:59:27.047638893 CET	49997	445	192.168.2.9	88.10.108.201
Jan 15, 2025 19:59:27.047713041 CET	49997	445	192.168.2.9	88.10.108.201
Jan 15, 2025 19:59:27.047888994 CET	49998	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.052598000 CET	445	49997	88.10.108.201	192.168.2.9
Jan 15, 2025 19:59:27.052640915 CET	445	49998	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:27.052679062 CET	49997	445	192.168.2.9	88.10.108.201
Jan 15, 2025 19:59:27.052721024 CET	49998	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.052795887 CET	49998	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.053194046 CET	49999	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.057671070 CET	445	49998	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:27.057806015 CET	49998	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.058041096 CET	445	49999	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:27.058126926 CET	49999	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.058154106 CET	49999	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:27.062908888 CET	445	49999	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:29.058294058 CET	50021	445	192.168.2.9	107.43.37.133
Jan 15, 2025 19:59:29.134335995 CET	445	50021	107.43.37.133	192.168.2.9
Jan 15, 2025 19:59:29.134504080 CET	50021	445	192.168.2.9	107.43.37.133
Jan 15, 2025 19:59:29.134783983 CET	50021	445	192.168.2.9	107.43.37.133
Jan 15, 2025 19:59:29.134789944 CET	50023	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.139543056 CET	445	50021	107.43.37.133	192.168.2.9
Jan 15, 2025 19:59:29.139600039 CET	50021	445	192.168.2.9	107.43.37.133
Jan 15, 2025 19:59:29.139628887 CET	445	50023	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:29.139688969 CET	50023	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.139766932 CET	50023	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.140048027 CET	50024	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.144843102 CET	445	50024	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:29.144928932 CET	50024	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.144977093 CET	50024	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.145138025 CET	445	50023	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:29.145484924 CET	445	50023	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:29.145529032 CET	50023	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:29.149720907 CET	445	50024	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:30.335788012 CET	445	49765	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:30.335906982 CET	49765	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:30.336066008 CET	49765	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:30.336160898 CET	49765	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:30.340876102 CET	445	49765	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:30.340946913 CET	445	49765	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:31.100779057 CET	50046	445	192.168.2.9	208.156.168.122
Jan 15, 2025 19:59:31.105604887 CET	445	50046	208.156.168.122	192.168.2.9
Jan 15, 2025 19:59:31.105668068 CET	50046	445	192.168.2.9	208.156.168.122
Jan 15, 2025 19:59:31.108515024 CET	50046	445	192.168.2.9	208.156.168.122
Jan 15, 2025 19:59:31.108647108 CET	50047	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.113430023 CET	445	50046	208.156.168.122	192.168.2.9
Jan 15, 2025 19:59:31.113441944 CET	445	50047	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:31.113477945 CET	50046	445	192.168.2.9	208.156.168.122
Jan 15, 2025 19:59:31.113509893 CET	50047	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.114911079 CET	50047	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.115348101 CET	50048	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.119730949 CET	445	50047	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:31.119766951 CET	50047	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.120083094 CET	445	50048	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:31.120131969 CET	50048	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.120162010 CET	50048	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:31.124861002 CET	445	50048	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:32.320067883 CET	445	49799	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:32.320151091 CET	49799	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:32.320214033 CET	49799	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:32.320283890 CET	49799	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:32.324980974 CET	445	49799	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:32.325052023 CET	445	49799	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:33.105350018 CET	50069	445	192.168.2.9	106.99.254.161
Jan 15, 2025 19:59:33.110233068 CET	445	50069	106.99.254.161	192.168.2.9
Jan 15, 2025 19:59:33.110317945 CET	50069	445	192.168.2.9	106.99.254.161
Jan 15, 2025 19:59:33.110388041 CET	50069	445	192.168.2.9	106.99.254.161
Jan 15, 2025 19:59:33.110495090 CET	50070	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.115416050 CET	445	50070	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:33.115427971 CET	445	50069	106.99.254.161	192.168.2.9
Jan 15, 2025 19:59:33.115518093 CET	50069	445	192.168.2.9	106.99.254.161
Jan 15, 2025 19:59:33.115524054 CET	50070	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.120105982 CET	50070	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.120760918 CET	50071	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.125600100 CET	445	50071	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:33.125669956 CET	50071	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.125727892 CET	50071	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.126075029 CET	445	50070	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:33.126127005 CET	50070	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:33.130537033 CET	445	50071	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:33.339883089 CET	50075	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:33.345308065 CET	445	50075	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:33.345382929 CET	50075	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:33.345451117 CET	50075	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:33.350770950 CET	445	50075	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:34.323266983 CET	445	49834	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:34.323318958 CET	49834	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:34.323370934 CET	49834	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:34.323664904 CET	49834	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:34.330121040 CET	445	49834	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:34.330739021 CET	445	49834	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:35.121226072 CET	50081	445	192.168.2.9	165.49.37.175
Jan 15, 2025 19:59:35.126106977 CET	445	50081	165.49.37.175	192.168.2.9
Jan 15, 2025 19:59:35.128058910 CET	50081	445	192.168.2.9	165.49.37.175
Jan 15, 2025 19:59:35.128077984 CET	50081	445	192.168.2.9	165.49.37.175
Jan 15, 2025 19:59:35.128252029 CET	50082	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.133155107 CET	445	50081	165.49.37.175	192.168.2.9
Jan 15, 2025 19:59:35.133171082 CET	445	50082	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:35.133229971 CET	50081	445	192.168.2.9	165.49.37.175
Jan 15, 2025 19:59:35.133264065 CET	50082	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.133299112 CET	50082	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.133579016 CET	50083	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.138225079 CET	445	50082	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:35.138350964 CET	445	50083	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:35.138432026 CET	50082	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.138454914 CET	50083	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.138490915 CET	50083	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:35.143285990 CET	445	50083	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:35.323918104 CET	50084	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:35.328903913 CET	445	50084	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:35.332041025 CET	50084	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:35.332079887 CET	50084	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:35.336952925 CET	445	50084	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:36.335814953 CET	445	49858	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:36.335899115 CET	49858	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:36.338798046 CET	49858	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:36.338926077 CET	49858	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:36.343734980 CET	445	49858	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:36.343750954 CET	445	49858	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:37.239888906 CET	50085	445	192.168.2.9	71.134.184.172
Jan 15, 2025 19:59:37.244745970 CET	445	50085	71.134.184.172	192.168.2.9
Jan 15, 2025 19:59:37.244824886 CET	50085	445	192.168.2.9	71.134.184.172
Jan 15, 2025 19:59:37.244899988 CET	50085	445	192.168.2.9	71.134.184.172
Jan 15, 2025 19:59:37.245223999 CET	50086	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.250046968 CET	445	50086	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:37.250111103 CET	50086	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.250233889 CET	50086	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.250597000 CET	50087	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.251883984 CET	445	50085	71.134.184.172	192.168.2.9
Jan 15, 2025 19:59:37.251936913 CET	50085	445	192.168.2.9	71.134.184.172
Jan 15, 2025 19:59:37.255141973 CET	445	50086	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:37.255189896 CET	50086	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.255369902 CET	445	50087	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:37.255431890 CET	50087	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.255465984 CET	50087	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:37.260205984 CET	445	50087	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:37.339843035 CET	50088	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:37.344726086 CET	445	50088	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:37.344880104 CET	50088	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:37.344989061 CET	50088	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:37.349719048 CET	445	50088	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:38.401521921 CET	445	49881	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:38.401602983 CET	49881	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:38.401725054 CET	49881	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:38.401901007 CET	49881	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:38.406470060 CET	445	49881	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:38.406691074 CET	445	49881	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:39.247806072 CET	50089	445	192.168.2.9	67.221.200.130
Jan 15, 2025 19:59:39.252648115 CET	445	50089	67.221.200.130	192.168.2.9
Jan 15, 2025 19:59:39.252742052 CET	50089	445	192.168.2.9	67.221.200.130
Jan 15, 2025 19:59:39.252774000 CET	50089	445	192.168.2.9	67.221.200.130
Jan 15, 2025 19:59:39.252954960 CET	50090	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.257728100 CET	445	50089	67.221.200.130	192.168.2.9
Jan 15, 2025 19:59:39.257778883 CET	50089	445	192.168.2.9	67.221.200.130
Jan 15, 2025 19:59:39.257797003 CET	445	50090	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:39.257853985 CET	50090	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.257872105 CET	50090	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.258155107 CET	50091	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.262784958 CET	445	50090	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:39.262850046 CET	50090	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.262904882 CET	445	50091	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:39.262959003 CET	50091	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.262994051 CET	50091	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:39.267739058 CET	445	50091	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:39.355001926 CET	50092	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:39.359914064 CET	445	50092	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:39.360049963 CET	50092	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:39.360084057 CET	50092	445	192.168.2.9	188.195.139.1
Jan 15, 2025 19:59:39.364840031 CET	445	50092	188.195.139.1	192.168.2.9
Jan 15, 2025 19:59:40.755093098 CET	445	50091	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:40.755182981 CET	50091	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:40.755217075 CET	50091	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:40.755276918 CET	50091	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:40.760899067 CET	445	50091	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:40.760911942 CET	445	50091	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:40.877868891 CET	445	49907	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:40.878082037 CET	49907	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:40.878153086 CET	49907	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:40.878348112 CET	49907	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:40.882913113 CET	445	49907	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:40.883138895 CET	445	49907	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:41.263355017 CET	50093	445	192.168.2.9	215.248.16.182
Jan 15, 2025 19:59:41.268279076 CET	445	50093	215.248.16.182	192.168.2.9
Jan 15, 2025 19:59:41.268414974 CET	50093	445	192.168.2.9	215.248.16.182
Jan 15, 2025 19:59:41.268636942 CET	50093	445	192.168.2.9	215.248.16.182
Jan 15, 2025 19:59:41.268800974 CET	50094	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.273472071 CET	445	50093	215.248.16.182	192.168.2.9
Jan 15, 2025 19:59:41.273561001 CET	445	50094	215.248.16.1	192.168.2.9
Jan 15, 2025 19:59:41.273585081 CET	50093	445	192.168.2.9	215.248.16.182
Jan 15, 2025 19:59:41.273652077 CET	50094	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.273797035 CET	50094	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.274171114 CET	50095	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.278604984 CET	445	50094	215.248.16.1	192.168.2.9
Jan 15, 2025 19:59:41.278682947 CET	50094	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.278979063 CET	445	50095	215.248.16.1	192.168.2.9
Jan 15, 2025 19:59:41.279043913 CET	50095	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.279081106 CET	50095	445	192.168.2.9	215.248.16.1
Jan 15, 2025 19:59:41.283859015 CET	445	50095	215.248.16.1	192.168.2.9
Jan 15, 2025 19:59:41.417951107 CET	50096	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:41.422846079 CET	445	50096	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:41.423002005 CET	50096	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:41.423151016 CET	50096	445	192.168.2.9	10.200.100.1
Jan 15, 2025 19:59:41.427937031 CET	445	50096	10.200.100.1	192.168.2.9
Jan 15, 2025 19:59:42.399620056 CET	445	49928	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:42.399732113 CET	49928	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:42.399796963 CET	49928	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:42.399851084 CET	49928	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:42.404544115 CET	445	49928	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:42.404593945 CET	445	49928	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:43.280415058 CET	50097	445	192.168.2.9	16.102.172.174
Jan 15, 2025 19:59:43.285183907 CET	445	50097	16.102.172.174	192.168.2.9
Jan 15, 2025 19:59:43.285294056 CET	50097	445	192.168.2.9	16.102.172.174
Jan 15, 2025 19:59:43.285331011 CET	50097	445	192.168.2.9	16.102.172.174
Jan 15, 2025 19:59:43.285521984 CET	50098	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.290266991 CET	445	50098	16.102.172.1	192.168.2.9
Jan 15, 2025 19:59:43.290374041 CET	445	50097	16.102.172.174	192.168.2.9
Jan 15, 2025 19:59:43.290381908 CET	50098	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.290435076 CET	50097	445	192.168.2.9	16.102.172.174
Jan 15, 2025 19:59:43.290568113 CET	50098	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.290884972 CET	50099	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.295538902 CET	445	50098	16.102.172.1	192.168.2.9
Jan 15, 2025 19:59:43.295593977 CET	50098	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.295646906 CET	445	50099	16.102.172.1	192.168.2.9
Jan 15, 2025 19:59:43.295727968 CET	50099	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.295773983 CET	50099	445	192.168.2.9	16.102.172.1
Jan 15, 2025 19:59:43.300616980 CET	445	50099	16.102.172.1	192.168.2.9
Jan 15, 2025 19:59:43.761322975 CET	50100	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:43.766757965 CET	445	50100	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:43.766875982 CET	50100	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:43.766990900 CET	50100	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:43.771820068 CET	445	50100	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:43.886743069 CET	50101	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:43.891618967 CET	445	50101	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:43.893285990 CET	50101	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:43.893383026 CET	50101	445	192.168.2.9	164.135.40.1
Jan 15, 2025 19:59:43.898338079 CET	445	50101	164.135.40.1	192.168.2.9
Jan 15, 2025 19:59:44.382921934 CET	445	49952	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:44.383218050 CET	49952	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:44.383425951 CET	49952	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:44.383603096 CET	49952	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:44.388344049 CET	445	49952	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:44.388528109 CET	445	49952	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:45.152134895 CET	50102	445	192.168.2.9	74.8.58.92
Jan 15, 2025 19:59:45.157876015 CET	445	50102	74.8.58.92	192.168.2.9
Jan 15, 2025 19:59:45.157972097 CET	50102	445	192.168.2.9	74.8.58.92
Jan 15, 2025 19:59:45.158008099 CET	50102	445	192.168.2.9	74.8.58.92
Jan 15, 2025 19:59:45.158122063 CET	50103	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.162981033 CET	445	50103	74.8.58.1	192.168.2.9
Jan 15, 2025 19:59:45.163034916 CET	50103	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.163121939 CET	445	50102	74.8.58.92	192.168.2.9
Jan 15, 2025 19:59:45.163130045 CET	50103	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.163166046 CET	50102	445	192.168.2.9	74.8.58.92
Jan 15, 2025 19:59:45.163415909 CET	50104	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.168234110 CET	445	50103	74.8.58.1	192.168.2.9
Jan 15, 2025 19:59:45.168253899 CET	445	50104	74.8.58.1	192.168.2.9
Jan 15, 2025 19:59:45.168417931 CET	50103	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.168451071 CET	50104	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.168467999 CET	50104	445	192.168.2.9	74.8.58.1
Jan 15, 2025 19:59:45.174801111 CET	445	50104	74.8.58.1	192.168.2.9
Jan 15, 2025 19:59:45.252994061 CET	445	50100	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:45.253071070 CET	50100	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:45.258685112 CET	50100	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:45.258725882 CET	50100	445	192.168.2.9	67.221.200.1
Jan 15, 2025 19:59:45.323683977 CET	50105	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.401916981 CET	50106	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:45.437278032 CET	445	50100	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:45.437293053 CET	445	50100	67.221.200.1	192.168.2.9
Jan 15, 2025 19:59:45.437302113 CET	445	50105	67.221.200.2	192.168.2.9
Jan 15, 2025 19:59:45.437438011 CET	50105	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.437545061 CET	50105	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.437942028 CET	50107	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.438026905 CET	445	50106	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:45.438086033 CET	50106	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:45.438137054 CET	50106	445	192.168.2.9	160.106.135.1
Jan 15, 2025 19:59:45.442715883 CET	445	50105	67.221.200.2	192.168.2.9
Jan 15, 2025 19:59:45.442727089 CET	445	50107	67.221.200.2	192.168.2.9
Jan 15, 2025 19:59:45.442780972 CET	50105	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.442814112 CET	50107	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.442814112 CET	50107	445	192.168.2.9	67.221.200.2
Jan 15, 2025 19:59:45.442864895 CET	445	50106	160.106.135.1	192.168.2.9
Jan 15, 2025 19:59:45.450308084 CET	445	50107	67.221.200.2	192.168.2.9
Jan 15, 2025 19:59:46.415369034 CET	445	49974	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:46.415606022 CET	49974	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:46.415765047 CET	49974	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:46.415810108 CET	49974	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:46.420619011 CET	445	49974	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:46.420630932 CET	445	49974	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:46.902434111 CET	50108	445	192.168.2.9	153.98.17.100
Jan 15, 2025 19:59:46.907387972 CET	445	50108	153.98.17.100	192.168.2.9
Jan 15, 2025 19:59:46.907476902 CET	50108	445	192.168.2.9	153.98.17.100
Jan 15, 2025 19:59:46.907546997 CET	50108	445	192.168.2.9	153.98.17.100
Jan 15, 2025 19:59:46.907686949 CET	50109	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.912565947 CET	445	50109	153.98.17.1	192.168.2.9
Jan 15, 2025 19:59:46.912635088 CET	50109	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.912684917 CET	50109	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.912715912 CET	445	50108	153.98.17.100	192.168.2.9
Jan 15, 2025 19:59:46.912761927 CET	50108	445	192.168.2.9	153.98.17.100
Jan 15, 2025 19:59:46.913026094 CET	50110	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.917684078 CET	445	50109	153.98.17.1	192.168.2.9
Jan 15, 2025 19:59:46.917795897 CET	50109	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.917901039 CET	445	50110	153.98.17.1	192.168.2.9
Jan 15, 2025 19:59:46.917963028 CET	50110	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.917996883 CET	50110	445	192.168.2.9	153.98.17.1
Jan 15, 2025 19:59:46.922801018 CET	445	50110	153.98.17.1	192.168.2.9
Jan 15, 2025 19:59:47.386538982 CET	50111	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:47.391393900 CET	445	50111	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:47.391474962 CET	50111	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:47.391740084 CET	50111	445	192.168.2.9	36.17.33.1
Jan 15, 2025 19:59:47.396480083 CET	445	50111	36.17.33.1	192.168.2.9
Jan 15, 2025 19:59:48.415100098 CET	445	49999	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:48.415178061 CET	49999	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:48.415211916 CET	49999	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:48.415250063 CET	49999	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:48.420049906 CET	445	49999	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:48.420061111 CET	445	49999	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:48.542902946 CET	50112	445	192.168.2.9	58.65.156.173
Jan 15, 2025 19:59:48.547699928 CET	445	50112	58.65.156.173	192.168.2.9
Jan 15, 2025 19:59:48.547782898 CET	50112	445	192.168.2.9	58.65.156.173
Jan 15, 2025 19:59:48.547843933 CET	50112	445	192.168.2.9	58.65.156.173
Jan 15, 2025 19:59:48.547966957 CET	50113	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.552723885 CET	445	50112	58.65.156.173	192.168.2.9
Jan 15, 2025 19:59:48.552768946 CET	445	50113	58.65.156.1	192.168.2.9
Jan 15, 2025 19:59:48.552884102 CET	50112	445	192.168.2.9	58.65.156.173
Jan 15, 2025 19:59:48.552911043 CET	50113	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.552983046 CET	50113	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.553261995 CET	50114	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.557954073 CET	445	50113	58.65.156.1	192.168.2.9
Jan 15, 2025 19:59:48.558007956 CET	50113	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.558131933 CET	445	50114	58.65.156.1	192.168.2.9
Jan 15, 2025 19:59:48.558197021 CET	50114	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.558300972 CET	50114	445	192.168.2.9	58.65.156.1
Jan 15, 2025 19:59:48.563026905 CET	445	50114	58.65.156.1	192.168.2.9
Jan 15, 2025 19:59:49.417557955 CET	50115	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:49.422322035 CET	445	50115	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:49.422413111 CET	50115	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:49.422434092 CET	50115	445	192.168.2.9	52.2.231.1
Jan 15, 2025 19:59:49.427205086 CET	445	50115	52.2.231.1	192.168.2.9
Jan 15, 2025 19:59:50.074106932 CET	50116	445	192.168.2.9	46.96.102.138
Jan 15, 2025 19:59:50.079018116 CET	445	50116	46.96.102.138	192.168.2.9
Jan 15, 2025 19:59:50.079118967 CET	50116	445	192.168.2.9	46.96.102.138
Jan 15, 2025 19:59:50.079201937 CET	50116	445	192.168.2.9	46.96.102.138
Jan 15, 2025 19:59:50.079355001 CET	50117	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.084165096 CET	445	50117	46.96.102.1	192.168.2.9
Jan 15, 2025 19:59:50.084253073 CET	50117	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.084400892 CET	445	50116	46.96.102.138	192.168.2.9
Jan 15, 2025 19:59:50.084462881 CET	50116	445	192.168.2.9	46.96.102.138
Jan 15, 2025 19:59:50.088247061 CET	50117	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.088475943 CET	50118	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.093085051 CET	445	50117	46.96.102.1	192.168.2.9
Jan 15, 2025 19:59:50.093146086 CET	50117	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.093292952 CET	445	50118	46.96.102.1	192.168.2.9
Jan 15, 2025 19:59:50.093367100 CET	50118	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.093409061 CET	50118	445	192.168.2.9	46.96.102.1
Jan 15, 2025 19:59:50.098162889 CET	445	50118	46.96.102.1	192.168.2.9
Jan 15, 2025 19:59:50.507797003 CET	445	50024	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:50.507944107 CET	50024	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:50.507945061 CET	50024	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:50.508013010 CET	50024	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:50.514015913 CET	445	50024	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:50.514157057 CET	445	50024	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:51.418353081 CET	50119	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:51.431891918 CET	445	50119	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:51.431967974 CET	50119	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:51.432022095 CET	50119	445	192.168.2.9	88.10.108.1
Jan 15, 2025 19:59:51.438021898 CET	445	50119	88.10.108.1	192.168.2.9
Jan 15, 2025 19:59:51.496161938 CET	50120	445	192.168.2.9	185.184.157.183
Jan 15, 2025 19:59:51.501040936 CET	445	50120	185.184.157.183	192.168.2.9
Jan 15, 2025 19:59:51.501132965 CET	50120	445	192.168.2.9	185.184.157.183
Jan 15, 2025 19:59:51.501199007 CET	50120	445	192.168.2.9	185.184.157.183
Jan 15, 2025 19:59:51.501400948 CET	50121	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.506177902 CET	445	50120	185.184.157.183	192.168.2.9
Jan 15, 2025 19:59:51.506237030 CET	50120	445	192.168.2.9	185.184.157.183
Jan 15, 2025 19:59:51.506285906 CET	445	50121	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:51.506334066 CET	50121	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.506369114 CET	50121	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.506714106 CET	50122	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.511382103 CET	445	50121	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:51.511435032 CET	50121	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.511514902 CET	445	50122	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:51.511565924 CET	50122	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.511612892 CET	50122	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:51.516372919 CET	445	50122	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:52.491761923 CET	445	50048	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:52.491818905 CET	50048	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:52.491869926 CET	50048	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:52.491913080 CET	50048	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:52.496592999 CET	445	50048	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:52.496607065 CET	445	50048	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:52.824675083 CET	50123	445	192.168.2.9	146.226.127.49
Jan 15, 2025 19:59:52.830662966 CET	445	50123	146.226.127.49	192.168.2.9
Jan 15, 2025 19:59:52.830792904 CET	50123	445	192.168.2.9	146.226.127.49
Jan 15, 2025 19:59:52.836267948 CET	50123	445	192.168.2.9	146.226.127.49
Jan 15, 2025 19:59:52.836483955 CET	50124	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.843337059 CET	445	50123	146.226.127.49	192.168.2.9
Jan 15, 2025 19:59:52.843379021 CET	445	50123	146.226.127.49	192.168.2.9
Jan 15, 2025 19:59:52.843411922 CET	445	50124	146.226.127.1	192.168.2.9
Jan 15, 2025 19:59:52.843430042 CET	50123	445	192.168.2.9	146.226.127.49
Jan 15, 2025 19:59:52.843473911 CET	50124	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.843554974 CET	50124	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.843947887 CET	50125	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.849647045 CET	445	50124	146.226.127.1	192.168.2.9
Jan 15, 2025 19:59:52.849678040 CET	445	50125	146.226.127.1	192.168.2.9
Jan 15, 2025 19:59:52.849714041 CET	50124	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.849756002 CET	50125	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.849800110 CET	50125	445	192.168.2.9	146.226.127.1
Jan 15, 2025 19:59:52.855513096 CET	445	50125	146.226.127.1	192.168.2.9
Jan 15, 2025 19:59:52.932521105 CET	445	50122	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:52.932602882 CET	50122	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:52.932643890 CET	50122	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:52.932688951 CET	50122	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:52.937592983 CET	445	50122	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:52.937623024 CET	445	50122	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:53.511204004 CET	50126	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:53.516087055 CET	445	50126	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:53.520086050 CET	50126	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:53.524594069 CET	50126	445	192.168.2.9	107.43.37.1
Jan 15, 2025 19:59:53.529397011 CET	445	50126	107.43.37.1	192.168.2.9
Jan 15, 2025 19:59:53.698790073 CET	49705	80	192.168.2.9	199.232.210.172
Jan 15, 2025 19:59:53.703761101 CET	80	49705	199.232.210.172	192.168.2.9
Jan 15, 2025 19:59:53.704063892 CET	49705	80	192.168.2.9	199.232.210.172
Jan 15, 2025 19:59:54.074074984 CET	50127	445	192.168.2.9	40.72.68.33
Jan 15, 2025 19:59:54.078926086 CET	445	50127	40.72.68.33	192.168.2.9
Jan 15, 2025 19:59:54.079022884 CET	50127	445	192.168.2.9	40.72.68.33
Jan 15, 2025 19:59:54.079066992 CET	50127	445	192.168.2.9	40.72.68.33
Jan 15, 2025 19:59:54.079277039 CET	50128	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.085062981 CET	445	50128	40.72.68.1	192.168.2.9
Jan 15, 2025 19:59:54.085123062 CET	50128	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.085145950 CET	50128	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.085210085 CET	445	50127	40.72.68.33	192.168.2.9
Jan 15, 2025 19:59:54.085258007 CET	50127	445	192.168.2.9	40.72.68.33
Jan 15, 2025 19:59:54.085386038 CET	50129	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.090106010 CET	445	50128	40.72.68.1	192.168.2.9
Jan 15, 2025 19:59:54.090142012 CET	445	50129	40.72.68.1	192.168.2.9
Jan 15, 2025 19:59:54.090167046 CET	50128	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.090214014 CET	50129	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.090260029 CET	50129	445	192.168.2.9	40.72.68.1
Jan 15, 2025 19:59:54.095019102 CET	445	50129	40.72.68.1	192.168.2.9
Jan 15, 2025 19:59:54.491431952 CET	445	50071	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:54.491502047 CET	50071	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:54.491539955 CET	50071	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:54.491586924 CET	50071	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:54.496444941 CET	445	50071	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:54.496476889 CET	445	50071	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:54.731731892 CET	445	50075	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:54.731806040 CET	50075	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:54.731908083 CET	50075	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:54.732014894 CET	50075	445	192.168.2.9	42.230.216.1
Jan 15, 2025 19:59:54.736742020 CET	445	50075	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:54.736830950 CET	445	50075	42.230.216.1	192.168.2.9
Jan 15, 2025 19:59:54.799814939 CET	50130	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.804609060 CET	445	50130	42.230.216.2	192.168.2.9
Jan 15, 2025 19:59:54.804671049 CET	50130	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.804852962 CET	50130	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.805526972 CET	50131	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.809701920 CET	445	50130	42.230.216.2	192.168.2.9
Jan 15, 2025 19:59:54.809752941 CET	50130	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.810481071 CET	445	50131	42.230.216.2	192.168.2.9
Jan 15, 2025 19:59:54.810538054 CET	50131	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.810637951 CET	50131	445	192.168.2.9	42.230.216.2
Jan 15, 2025 19:59:54.815440893 CET	445	50131	42.230.216.2	192.168.2.9
Jan 15, 2025 19:59:55.377441883 CET	50132	445	192.168.2.9	191.133.120.75
Jan 15, 2025 19:59:55.382302046 CET	445	50132	191.133.120.75	192.168.2.9
Jan 15, 2025 19:59:55.382366896 CET	50132	445	192.168.2.9	191.133.120.75
Jan 15, 2025 19:59:55.382412910 CET	50132	445	192.168.2.9	191.133.120.75
Jan 15, 2025 19:59:55.382579088 CET	50133	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.387398958 CET	445	50132	191.133.120.75	192.168.2.9
Jan 15, 2025 19:59:55.387415886 CET	445	50133	191.133.120.1	192.168.2.9
Jan 15, 2025 19:59:55.387476921 CET	50132	445	192.168.2.9	191.133.120.75
Jan 15, 2025 19:59:55.387511015 CET	50133	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.387609005 CET	50133	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.390599966 CET	50134	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.392510891 CET	445	50133	191.133.120.1	192.168.2.9
Jan 15, 2025 19:59:55.393511057 CET	50133	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.395390034 CET	445	50134	191.133.120.1	192.168.2.9
Jan 15, 2025 19:59:55.395500898 CET	50134	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.395529032 CET	50134	445	192.168.2.9	191.133.120.1
Jan 15, 2025 19:59:55.400317907 CET	445	50134	191.133.120.1	192.168.2.9
Jan 15, 2025 19:59:55.496114016 CET	50135	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:55.501087904 CET	445	50135	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:55.501152992 CET	50135	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:55.501190901 CET	50135	445	192.168.2.9	208.156.168.1
Jan 15, 2025 19:59:55.505996943 CET	445	50135	208.156.168.1	192.168.2.9
Jan 15, 2025 19:59:55.933254957 CET	50136	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:55.938312054 CET	445	50136	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:55.939342976 CET	50136	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:55.939342976 CET	50136	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:55.944228888 CET	445	50136	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:56.467164993 CET	50138	445	192.168.2.9	82.250.219.42
Jan 15, 2025 19:59:56.472261906 CET	445	50138	82.250.219.42	192.168.2.9
Jan 15, 2025 19:59:56.472363949 CET	50138	445	192.168.2.9	82.250.219.42
Jan 15, 2025 19:59:56.472429991 CET	50138	445	192.168.2.9	82.250.219.42
Jan 15, 2025 19:59:56.472549915 CET	50139	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.477416039 CET	445	50138	82.250.219.42	192.168.2.9
Jan 15, 2025 19:59:56.477475882 CET	445	50139	82.250.219.1	192.168.2.9
Jan 15, 2025 19:59:56.477493048 CET	50138	445	192.168.2.9	82.250.219.42
Jan 15, 2025 19:59:56.477549076 CET	50139	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.477597952 CET	50139	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.479202986 CET	50140	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.482548952 CET	445	50139	82.250.219.1	192.168.2.9
Jan 15, 2025 19:59:56.482608080 CET	50139	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.484191895 CET	445	50140	82.250.219.1	192.168.2.9
Jan 15, 2025 19:59:56.484261036 CET	50140	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.484348059 CET	50140	445	192.168.2.9	82.250.219.1
Jan 15, 2025 19:59:56.489121914 CET	445	50140	82.250.219.1	192.168.2.9
Jan 15, 2025 19:59:56.495795965 CET	445	50083	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:56.495888948 CET	50083	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:56.495888948 CET	50083	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:56.495934963 CET	50083	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:56.500871897 CET	445	50083	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:56.500902891 CET	445	50083	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:56.694932938 CET	445	50084	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:56.695014954 CET	50084	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:56.695085049 CET	50084	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:56.695157051 CET	50084	445	192.168.2.9	188.75.188.1
Jan 15, 2025 19:59:56.699881077 CET	445	50084	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:56.699991941 CET	445	50084	188.75.188.1	192.168.2.9
Jan 15, 2025 19:59:56.761359930 CET	50141	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.766180992 CET	445	50141	188.75.188.2	192.168.2.9
Jan 15, 2025 19:59:56.766249895 CET	50141	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.766305923 CET	50141	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.766649961 CET	50142	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.771439075 CET	445	50141	188.75.188.2	192.168.2.9
Jan 15, 2025 19:59:56.771455050 CET	445	50142	188.75.188.2	192.168.2.9
Jan 15, 2025 19:59:56.771486998 CET	50141	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.771532059 CET	50142	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.771557093 CET	50142	445	192.168.2.9	188.75.188.2
Jan 15, 2025 19:59:56.776351929 CET	445	50142	188.75.188.2	192.168.2.9
Jan 15, 2025 19:59:57.322724104 CET	445	50136	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:57.322829962 CET	50136	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:57.322895050 CET	50136	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:57.322935104 CET	50136	445	192.168.2.9	185.184.157.1
Jan 15, 2025 19:59:57.327837944 CET	445	50136	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:57.327869892 CET	445	50136	185.184.157.1	192.168.2.9
Jan 15, 2025 19:59:57.386313915 CET	50143	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.391158104 CET	445	50143	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:57.391828060 CET	50143	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.391896963 CET	50143	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.392308950 CET	50144	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.396914005 CET	445	50143	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:57.397037983 CET	50143	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.397069931 CET	445	50144	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:57.397134066 CET	50144	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.397239923 CET	50144	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:57.402044058 CET	445	50144	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:57.483194113 CET	50145	445	192.168.2.9	27.16.134.176
Jan 15, 2025 19:59:57.488446951 CET	445	50145	27.16.134.176	192.168.2.9
Jan 15, 2025 19:59:57.488544941 CET	50145	445	192.168.2.9	27.16.134.176
Jan 15, 2025 19:59:57.488616943 CET	50145	445	192.168.2.9	27.16.134.176
Jan 15, 2025 19:59:57.488771915 CET	50146	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.494119883 CET	445	50146	27.16.134.1	192.168.2.9
Jan 15, 2025 19:59:57.494272947 CET	445	50145	27.16.134.176	192.168.2.9
Jan 15, 2025 19:59:57.494360924 CET	50145	445	192.168.2.9	27.16.134.176
Jan 15, 2025 19:59:57.494360924 CET	50146	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.494431973 CET	50146	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.494791985 CET	50147	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.495423079 CET	50148	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:57.499851942 CET	445	50146	27.16.134.1	192.168.2.9
Jan 15, 2025 19:59:57.499933004 CET	50146	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.500199080 CET	445	50147	27.16.134.1	192.168.2.9
Jan 15, 2025 19:59:57.500287056 CET	50147	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.500334978 CET	50147	445	192.168.2.9	27.16.134.1
Jan 15, 2025 19:59:57.500711918 CET	445	50148	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:57.500777960 CET	50148	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:57.500821114 CET	50148	445	192.168.2.9	106.99.254.1
Jan 15, 2025 19:59:57.505624056 CET	445	50147	27.16.134.1	192.168.2.9
Jan 15, 2025 19:59:57.505834103 CET	445	50148	106.99.254.1	192.168.2.9
Jan 15, 2025 19:59:58.434262037 CET	50149	445	192.168.2.9	119.254.172.154
Jan 15, 2025 19:59:58.439137936 CET	445	50149	119.254.172.154	192.168.2.9
Jan 15, 2025 19:59:58.439335108 CET	50149	445	192.168.2.9	119.254.172.154
Jan 15, 2025 19:59:58.439335108 CET	50149	445	192.168.2.9	119.254.172.154
Jan 15, 2025 19:59:58.439460993 CET	50150	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.444288015 CET	445	50150	119.254.172.1	192.168.2.9
Jan 15, 2025 19:59:58.444303036 CET	445	50149	119.254.172.154	192.168.2.9
Jan 15, 2025 19:59:58.444344997 CET	50150	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.444448948 CET	50150	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.444736004 CET	50151	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.445322990 CET	50149	445	192.168.2.9	119.254.172.154
Jan 15, 2025 19:59:58.449330091 CET	445	50150	119.254.172.1	192.168.2.9
Jan 15, 2025 19:59:58.449381113 CET	50150	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.449551105 CET	445	50151	119.254.172.1	192.168.2.9
Jan 15, 2025 19:59:58.449611902 CET	50151	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.449642897 CET	50151	445	192.168.2.9	119.254.172.1
Jan 15, 2025 19:59:58.454365015 CET	445	50151	119.254.172.1	192.168.2.9
Jan 15, 2025 19:59:58.651793957 CET	445	50087	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:58.651878119 CET	50087	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:58.651953936 CET	50087	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:58.651981115 CET	50087	445	192.168.2.9	71.134.184.1
Jan 15, 2025 19:59:58.656728983 CET	445	50087	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:58.656743050 CET	445	50087	71.134.184.1	192.168.2.9
Jan 15, 2025 19:59:58.714652061 CET	445	50088	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:58.714713097 CET	50088	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:58.714778900 CET	50088	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:58.714843988 CET	50088	445	192.168.2.9	79.172.32.1
Jan 15, 2025 19:59:58.719686985 CET	445	50088	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:58.719716072 CET	445	50088	79.172.32.1	192.168.2.9
Jan 15, 2025 19:59:58.776967049 CET	50152	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.781858921 CET	445	50152	79.172.32.2	192.168.2.9
Jan 15, 2025 19:59:58.782871962 CET	50152	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.782923937 CET	50152	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.783253908 CET	50153	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.787883997 CET	445	50152	79.172.32.2	192.168.2.9
Jan 15, 2025 19:59:58.788161039 CET	445	50153	79.172.32.2	192.168.2.9
Jan 15, 2025 19:59:58.788213015 CET	50152	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.788242102 CET	50153	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.788265944 CET	50153	445	192.168.2.9	79.172.32.2
Jan 15, 2025 19:59:58.794420004 CET	445	50153	79.172.32.2	192.168.2.9
Jan 15, 2025 19:59:58.809159040 CET	445	50144	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:58.811500072 CET	50144	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:58.811546087 CET	50144	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:58.811602116 CET	50144	445	192.168.2.9	185.184.157.2
Jan 15, 2025 19:59:58.816328049 CET	445	50144	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:58.816435099 CET	445	50144	185.184.157.2	192.168.2.9
Jan 15, 2025 19:59:59.308532953 CET	50154	445	192.168.2.9	17.137.98.241
Jan 15, 2025 19:59:59.313374043 CET	445	50154	17.137.98.241	192.168.2.9
Jan 15, 2025 19:59:59.313453913 CET	50154	445	192.168.2.9	17.137.98.241
Jan 15, 2025 19:59:59.313472033 CET	50154	445	192.168.2.9	17.137.98.241
Jan 15, 2025 19:59:59.313606977 CET	50155	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.318412066 CET	445	50155	17.137.98.1	192.168.2.9
Jan 15, 2025 19:59:59.318475008 CET	50155	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.318492889 CET	50155	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.318567038 CET	445	50154	17.137.98.241	192.168.2.9
Jan 15, 2025 19:59:59.318615913 CET	50154	445	192.168.2.9	17.137.98.241
Jan 15, 2025 19:59:59.318834066 CET	50156	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.323410034 CET	445	50155	17.137.98.1	192.168.2.9
Jan 15, 2025 19:59:59.323472023 CET	50155	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.323626041 CET	445	50156	17.137.98.1	192.168.2.9
Jan 15, 2025 19:59:59.323674917 CET	50156	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.323699951 CET	50156	445	192.168.2.9	17.137.98.1
Jan 15, 2025 19:59:59.328465939 CET	445	50156	17.137.98.1	192.168.2.9
Jan 15, 2025 19:59:59.511212111 CET	50157	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:59.516149044 CET	445	50157	165.49.37.1	192.168.2.9
Jan 15, 2025 19:59:59.516238928 CET	50157	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:59.516313076 CET	50157	445	192.168.2.9	165.49.37.1
Jan 15, 2025 19:59:59.521095991 CET	445	50157	165.49.37.1	192.168.2.9
Jan 15, 2025 20:00:00.136915922 CET	50158	445	192.168.2.9	201.41.62.109
Jan 15, 2025 20:00:00.142023087 CET	445	50158	201.41.62.109	192.168.2.9
Jan 15, 2025 20:00:00.142159939 CET	50158	445	192.168.2.9	201.41.62.109
Jan 15, 2025 20:00:00.142196894 CET	50158	445	192.168.2.9	201.41.62.109
Jan 15, 2025 20:00:00.142359972 CET	50159	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.147286892 CET	445	50159	201.41.62.1	192.168.2.9
Jan 15, 2025 20:00:00.147341013 CET	445	50158	201.41.62.109	192.168.2.9
Jan 15, 2025 20:00:00.147392035 CET	50159	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.147392035 CET	50159	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.147399902 CET	50158	445	192.168.2.9	201.41.62.109
Jan 15, 2025 20:00:00.147670031 CET	50160	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.152446985 CET	445	50159	201.41.62.1	192.168.2.9
Jan 15, 2025 20:00:00.152503967 CET	445	50160	201.41.62.1	192.168.2.9
Jan 15, 2025 20:00:00.152508974 CET	50159	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.152578115 CET	50160	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.152620077 CET	50160	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:00.157474041 CET	445	50160	201.41.62.1	192.168.2.9
Jan 15, 2025 20:00:00.712291002 CET	445	50092	188.195.139.1	192.168.2.9
Jan 15, 2025 20:00:00.712377071 CET	50092	445	192.168.2.9	188.195.139.1
Jan 15, 2025 20:00:00.714682102 CET	50092	445	192.168.2.9	188.195.139.1
Jan 15, 2025 20:00:00.714757919 CET	50092	445	192.168.2.9	188.195.139.1
Jan 15, 2025 20:00:00.719575882 CET	445	50092	188.195.139.1	192.168.2.9
Jan 15, 2025 20:00:00.719594955 CET	445	50092	188.195.139.1	192.168.2.9
Jan 15, 2025 20:00:00.781405926 CET	50161	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.786328077 CET	445	50161	188.195.139.2	192.168.2.9
Jan 15, 2025 20:00:00.786417961 CET	50161	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.789108992 CET	50161	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.794174910 CET	445	50161	188.195.139.2	192.168.2.9
Jan 15, 2025 20:00:00.794249058 CET	50161	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.891808987 CET	50162	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.896759033 CET	445	50162	188.195.139.2	192.168.2.9
Jan 15, 2025 20:00:00.896830082 CET	50162	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.899384975 CET	50162	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:00.904226065 CET	445	50162	188.195.139.2	192.168.2.9
Jan 15, 2025 20:00:00.982275963 CET	50163	445	192.168.2.9	143.249.87.243
Jan 15, 2025 20:00:00.987391949 CET	445	50163	143.249.87.243	192.168.2.9
Jan 15, 2025 20:00:00.987471104 CET	50163	445	192.168.2.9	143.249.87.243
Jan 15, 2025 20:00:00.987524986 CET	50163	445	192.168.2.9	143.249.87.243
Jan 15, 2025 20:00:00.987718105 CET	50164	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:00.992461920 CET	445	50163	143.249.87.243	192.168.2.9
Jan 15, 2025 20:00:00.992520094 CET	50163	445	192.168.2.9	143.249.87.243
Jan 15, 2025 20:00:00.992561102 CET	445	50164	143.249.87.1	192.168.2.9
Jan 15, 2025 20:00:00.992626905 CET	50164	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:00.992747068 CET	50164	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:00.993179083 CET	50165	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:00.997633934 CET	445	50164	143.249.87.1	192.168.2.9
Jan 15, 2025 20:00:00.997805119 CET	50164	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:00.998039007 CET	445	50165	143.249.87.1	192.168.2.9
Jan 15, 2025 20:00:00.998136997 CET	50165	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:00.998178959 CET	50165	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:01.003016949 CET	445	50165	143.249.87.1	192.168.2.9
Jan 15, 2025 20:00:01.667414904 CET	50166	445	192.168.2.9	71.134.184.1
Jan 15, 2025 20:00:01.672250986 CET	445	50166	71.134.184.1	192.168.2.9
Jan 15, 2025 20:00:01.672322989 CET	50166	445	192.168.2.9	71.134.184.1
Jan 15, 2025 20:00:01.672352076 CET	50166	445	192.168.2.9	71.134.184.1
Jan 15, 2025 20:00:01.677161932 CET	445	50166	71.134.184.1	192.168.2.9
Jan 15, 2025 20:00:01.823904037 CET	50168	445	192.168.2.9	185.184.157.2
Jan 15, 2025 20:00:01.828957081 CET	445	50168	185.184.157.2	192.168.2.9
Jan 15, 2025 20:00:01.829085112 CET	50168	445	192.168.2.9	185.184.157.2
Jan 15, 2025 20:00:01.829138041 CET	50168	445	192.168.2.9	185.184.157.2
Jan 15, 2025 20:00:01.834045887 CET	445	50168	185.184.157.2	192.168.2.9
Jan 15, 2025 20:00:02.648085117 CET	445	50095	215.248.16.1	192.168.2.9
Jan 15, 2025 20:00:02.648232937 CET	50095	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:02.648356915 CET	50095	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:02.648356915 CET	50095	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:02.653247118 CET	445	50095	215.248.16.1	192.168.2.9
Jan 15, 2025 20:00:02.653261900 CET	445	50095	215.248.16.1	192.168.2.9
Jan 15, 2025 20:00:02.794547081 CET	445	50096	10.200.100.1	192.168.2.9
Jan 15, 2025 20:00:02.794645071 CET	50096	445	192.168.2.9	10.200.100.1
Jan 15, 2025 20:00:02.794708967 CET	50096	445	192.168.2.9	10.200.100.1
Jan 15, 2025 20:00:02.794786930 CET	50096	445	192.168.2.9	10.200.100.1
Jan 15, 2025 20:00:02.799834967 CET	445	50096	10.200.100.1	192.168.2.9
Jan 15, 2025 20:00:02.799885988 CET	445	50096	10.200.100.1	192.168.2.9
Jan 15, 2025 20:00:02.855041027 CET	50171	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.859942913 CET	445	50171	10.200.100.2	192.168.2.9
Jan 15, 2025 20:00:02.860016108 CET	50171	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.860048056 CET	50171	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.860421896 CET	50172	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.865151882 CET	445	50171	10.200.100.2	192.168.2.9
Jan 15, 2025 20:00:02.865206003 CET	50171	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.865269899 CET	445	50172	10.200.100.2	192.168.2.9
Jan 15, 2025 20:00:02.865324974 CET	50172	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.865359068 CET	50172	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:02.870126963 CET	445	50172	10.200.100.2	192.168.2.9
Jan 15, 2025 20:00:03.213499069 CET	445	50168	185.184.157.2	192.168.2.9
Jan 15, 2025 20:00:03.213593006 CET	50168	445	192.168.2.9	185.184.157.2
Jan 15, 2025 20:00:03.213654995 CET	50168	445	192.168.2.9	185.184.157.2
Jan 15, 2025 20:00:03.213670015 CET	50168	445	192.168.2.9	185.184.157.2
Jan 15, 2025 20:00:03.218554020 CET	445	50168	185.184.157.2	192.168.2.9
Jan 15, 2025 20:00:03.218575954 CET	445	50168	185.184.157.2	192.168.2.9
Jan 15, 2025 20:00:03.276961088 CET	50174	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.281908989 CET	445	50174	185.184.157.3	192.168.2.9
Jan 15, 2025 20:00:03.282147884 CET	50174	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.282252073 CET	50174	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.282603979 CET	50175	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.287231922 CET	445	50174	185.184.157.3	192.168.2.9
Jan 15, 2025 20:00:03.287334919 CET	50174	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.287411928 CET	445	50175	185.184.157.3	192.168.2.9
Jan 15, 2025 20:00:03.287477970 CET	50175	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.287511110 CET	50175	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:03.292258978 CET	445	50175	185.184.157.3	192.168.2.9
Jan 15, 2025 20:00:04.664916992 CET	445	50099	16.102.172.1	192.168.2.9
Jan 15, 2025 20:00:04.665133953 CET	50099	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:04.665237904 CET	50099	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:04.665237904 CET	50099	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:04.671238899 CET	445	50099	16.102.172.1	192.168.2.9
Jan 15, 2025 20:00:04.671778917 CET	445	50099	16.102.172.1	192.168.2.9
Jan 15, 2025 20:00:05.257652044 CET	445	50101	164.135.40.1	192.168.2.9
Jan 15, 2025 20:00:05.260083914 CET	50101	445	192.168.2.9	164.135.40.1
Jan 15, 2025 20:00:05.260171890 CET	50101	445	192.168.2.9	164.135.40.1
Jan 15, 2025 20:00:05.260240078 CET	50101	445	192.168.2.9	164.135.40.1
Jan 15, 2025 20:00:05.265139103 CET	445	50101	164.135.40.1	192.168.2.9
Jan 15, 2025 20:00:05.265158892 CET	445	50101	164.135.40.1	192.168.2.9
Jan 15, 2025 20:00:05.323956966 CET	50188	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.328958035 CET	445	50188	164.135.40.2	192.168.2.9
Jan 15, 2025 20:00:05.332096100 CET	50188	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.332119942 CET	50188	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.332489014 CET	50189	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.337193012 CET	445	50188	164.135.40.2	192.168.2.9
Jan 15, 2025 20:00:05.337455034 CET	445	50189	164.135.40.2	192.168.2.9
Jan 15, 2025 20:00:05.337505102 CET	50188	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.337538958 CET	50189	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.337574005 CET	50189	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:05.343293905 CET	445	50189	164.135.40.2	192.168.2.9
Jan 15, 2025 20:00:05.652239084 CET	50191	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:05.657314062 CET	445	50191	215.248.16.1	192.168.2.9
Jan 15, 2025 20:00:05.660121918 CET	50191	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:05.662925005 CET	50191	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:05.667762995 CET	445	50191	215.248.16.1	192.168.2.9
Jan 15, 2025 20:00:06.540999889 CET	445	50104	74.8.58.1	192.168.2.9
Jan 15, 2025 20:00:06.541096926 CET	50104	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:06.542848110 CET	50104	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:06.542893887 CET	50104	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:06.547760010 CET	445	50104	74.8.58.1	192.168.2.9
Jan 15, 2025 20:00:06.547776937 CET	445	50104	74.8.58.1	192.168.2.9
Jan 15, 2025 20:00:06.804445982 CET	445	50106	160.106.135.1	192.168.2.9
Jan 15, 2025 20:00:06.804539919 CET	50106	445	192.168.2.9	160.106.135.1
Jan 15, 2025 20:00:06.804626942 CET	50106	445	192.168.2.9	160.106.135.1
Jan 15, 2025 20:00:06.804626942 CET	50106	445	192.168.2.9	160.106.135.1
Jan 15, 2025 20:00:06.809539080 CET	445	50106	160.106.135.1	192.168.2.9
Jan 15, 2025 20:00:06.809556007 CET	445	50106	160.106.135.1	192.168.2.9
Jan 15, 2025 20:00:06.820234060 CET	445	50107	67.221.200.2	192.168.2.9
Jan 15, 2025 20:00:06.820311069 CET	50107	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:06.820388079 CET	50107	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:06.820388079 CET	50107	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:06.825294971 CET	445	50107	67.221.200.2	192.168.2.9
Jan 15, 2025 20:00:06.825310946 CET	445	50107	67.221.200.2	192.168.2.9
Jan 15, 2025 20:00:06.870603085 CET	50204	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.875560045 CET	445	50204	160.106.135.2	192.168.2.9
Jan 15, 2025 20:00:06.875639915 CET	50204	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.875677109 CET	50204	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.876017094 CET	50205	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.880665064 CET	445	50204	160.106.135.2	192.168.2.9
Jan 15, 2025 20:00:06.880723000 CET	50204	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.880872011 CET	445	50205	160.106.135.2	192.168.2.9
Jan 15, 2025 20:00:06.881247997 CET	50205	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.881247997 CET	50205	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:06.886014938 CET	445	50205	160.106.135.2	192.168.2.9
Jan 15, 2025 20:00:07.667642117 CET	50216	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:07.672617912 CET	445	50216	16.102.172.1	192.168.2.9
Jan 15, 2025 20:00:07.672722101 CET	50216	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:07.672756910 CET	50216	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:07.677577019 CET	445	50216	16.102.172.1	192.168.2.9
Jan 15, 2025 20:00:08.273372889 CET	445	50110	153.98.17.1	192.168.2.9
Jan 15, 2025 20:00:08.273614883 CET	50110	445	192.168.2.9	153.98.17.1
Jan 15, 2025 20:00:08.273614883 CET	50110	445	192.168.2.9	153.98.17.1
Jan 15, 2025 20:00:08.273614883 CET	50110	445	192.168.2.9	153.98.17.1
Jan 15, 2025 20:00:08.278592110 CET	445	50110	153.98.17.1	192.168.2.9
Jan 15, 2025 20:00:08.278604984 CET	445	50110	153.98.17.1	192.168.2.9
Jan 15, 2025 20:00:08.777105093 CET	445	50111	36.17.33.1	192.168.2.9
Jan 15, 2025 20:00:08.777183056 CET	50111	445	192.168.2.9	36.17.33.1
Jan 15, 2025 20:00:08.777231932 CET	50111	445	192.168.2.9	36.17.33.1
Jan 15, 2025 20:00:08.777276039 CET	50111	445	192.168.2.9	36.17.33.1
Jan 15, 2025 20:00:08.782095909 CET	445	50111	36.17.33.1	192.168.2.9
Jan 15, 2025 20:00:08.782126904 CET	445	50111	36.17.33.1	192.168.2.9
Jan 15, 2025 20:00:08.839401007 CET	50235	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.845042944 CET	445	50235	36.17.33.2	192.168.2.9
Jan 15, 2025 20:00:08.845179081 CET	50235	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.845180035 CET	50235	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.845508099 CET	50236	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.850425959 CET	445	50235	36.17.33.2	192.168.2.9
Jan 15, 2025 20:00:08.850506067 CET	50235	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.850620985 CET	445	50236	36.17.33.2	192.168.2.9
Jan 15, 2025 20:00:08.850684881 CET	50236	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.850727081 CET	50236	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:08.856811047 CET	445	50236	36.17.33.2	192.168.2.9
Jan 15, 2025 20:00:09.558238983 CET	50251	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:09.563420057 CET	445	50251	74.8.58.1	192.168.2.9
Jan 15, 2025 20:00:09.563513041 CET	50251	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:09.563513041 CET	50251	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:09.568377018 CET	445	50251	74.8.58.1	192.168.2.9
Jan 15, 2025 20:00:09.823815107 CET	50260	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:09.829030037 CET	445	50260	67.221.200.2	192.168.2.9
Jan 15, 2025 20:00:09.829169989 CET	50260	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:09.829222918 CET	50260	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:09.834167957 CET	445	50260	67.221.200.2	192.168.2.9
Jan 15, 2025 20:00:09.915802956 CET	445	50114	58.65.156.1	192.168.2.9
Jan 15, 2025 20:00:09.916064024 CET	50114	445	192.168.2.9	58.65.156.1
Jan 15, 2025 20:00:09.916282892 CET	50114	445	192.168.2.9	58.65.156.1
Jan 15, 2025 20:00:09.916282892 CET	50114	445	192.168.2.9	58.65.156.1
Jan 15, 2025 20:00:09.921153069 CET	445	50114	58.65.156.1	192.168.2.9
Jan 15, 2025 20:00:09.921216965 CET	445	50114	58.65.156.1	192.168.2.9
Jan 15, 2025 20:00:10.788965940 CET	445	50115	52.2.231.1	192.168.2.9
Jan 15, 2025 20:00:10.789071083 CET	50115	445	192.168.2.9	52.2.231.1
Jan 15, 2025 20:00:10.789122105 CET	50115	445	192.168.2.9	52.2.231.1
Jan 15, 2025 20:00:10.789166927 CET	50115	445	192.168.2.9	52.2.231.1
Jan 15, 2025 20:00:10.794064999 CET	445	50115	52.2.231.1	192.168.2.9
Jan 15, 2025 20:00:10.794133902 CET	445	50115	52.2.231.1	192.168.2.9
Jan 15, 2025 20:00:10.855145931 CET	50292	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.860301018 CET	445	50292	52.2.231.2	192.168.2.9
Jan 15, 2025 20:00:10.860400915 CET	50292	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.860465050 CET	50292	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.861325026 CET	50293	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.865693092 CET	445	50292	52.2.231.2	192.168.2.9
Jan 15, 2025 20:00:10.865782976 CET	50292	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.866257906 CET	445	50293	52.2.231.2	192.168.2.9
Jan 15, 2025 20:00:10.866333008 CET	50293	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.866374016 CET	50293	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:10.871212006 CET	445	50293	52.2.231.2	192.168.2.9
Jan 15, 2025 20:00:11.276973963 CET	50307	445	192.168.2.9	153.98.17.1
Jan 15, 2025 20:00:11.282036066 CET	445	50307	153.98.17.1	192.168.2.9
Jan 15, 2025 20:00:11.282151937 CET	50307	445	192.168.2.9	153.98.17.1
Jan 15, 2025 20:00:11.282196045 CET	50307	445	192.168.2.9	153.98.17.1
Jan 15, 2025 20:00:11.287024975 CET	445	50307	153.98.17.1	192.168.2.9
Jan 15, 2025 20:00:11.445333004 CET	445	50118	46.96.102.1	192.168.2.9
Jan 15, 2025 20:00:11.445441961 CET	50118	445	192.168.2.9	46.96.102.1
Jan 15, 2025 20:00:11.445523024 CET	50118	445	192.168.2.9	46.96.102.1
Jan 15, 2025 20:00:11.445643902 CET	50118	445	192.168.2.9	46.96.102.1
Jan 15, 2025 20:00:11.450380087 CET	445	50118	46.96.102.1	192.168.2.9
Jan 15, 2025 20:00:11.450470924 CET	445	50118	46.96.102.1	192.168.2.9
Jan 15, 2025 20:00:12.789778948 CET	445	50119	88.10.108.1	192.168.2.9
Jan 15, 2025 20:00:12.789897919 CET	50119	445	192.168.2.9	88.10.108.1
Jan 15, 2025 20:00:13.846463919 CET	50131	445	192.168.2.9	42.230.216.2
Jan 15, 2025 20:00:13.846498966 CET	50205	445	192.168.2.9	160.106.135.2
Jan 15, 2025 20:00:13.846524000 CET	50142	445	192.168.2.9	188.75.188.2
Jan 15, 2025 20:00:13.846549034 CET	50172	445	192.168.2.9	10.200.100.2
Jan 15, 2025 20:00:13.846589088 CET	50153	445	192.168.2.9	79.172.32.2
Jan 15, 2025 20:00:13.846605062 CET	50119	445	192.168.2.9	88.10.108.1
Jan 15, 2025 20:00:13.846652031 CET	50189	445	192.168.2.9	164.135.40.2
Jan 15, 2025 20:00:13.846802950 CET	50129	445	192.168.2.9	40.72.68.1
Jan 15, 2025 20:00:13.846848965 CET	50135	445	192.168.2.9	208.156.168.1
Jan 15, 2025 20:00:13.846873045 CET	50140	445	192.168.2.9	82.250.219.1
Jan 15, 2025 20:00:13.846885920 CET	50126	445	192.168.2.9	107.43.37.1
Jan 15, 2025 20:00:13.846885920 CET	50125	445	192.168.2.9	146.226.127.1
Jan 15, 2025 20:00:13.846885920 CET	50134	445	192.168.2.9	191.133.120.1
Jan 15, 2025 20:00:13.846901894 CET	50147	445	192.168.2.9	27.16.134.1
Jan 15, 2025 20:00:13.846940041 CET	50148	445	192.168.2.9	106.99.254.1
Jan 15, 2025 20:00:13.846949100 CET	50151	445	192.168.2.9	119.254.172.1
Jan 15, 2025 20:00:13.846970081 CET	50156	445	192.168.2.9	17.137.98.1
Jan 15, 2025 20:00:13.846987009 CET	50157	445	192.168.2.9	165.49.37.1
Jan 15, 2025 20:00:13.847009897 CET	50160	445	192.168.2.9	201.41.62.1
Jan 15, 2025 20:00:13.847040892 CET	50162	445	192.168.2.9	188.195.139.2
Jan 15, 2025 20:00:13.847064972 CET	50165	445	192.168.2.9	143.249.87.1
Jan 15, 2025 20:00:13.847084045 CET	50166	445	192.168.2.9	71.134.184.1
Jan 15, 2025 20:00:13.847148895 CET	50175	445	192.168.2.9	185.184.157.3
Jan 15, 2025 20:00:13.847172976 CET	50191	445	192.168.2.9	215.248.16.1
Jan 15, 2025 20:00:13.847207069 CET	50216	445	192.168.2.9	16.102.172.1
Jan 15, 2025 20:00:13.847242117 CET	50251	445	192.168.2.9	74.8.58.1
Jan 15, 2025 20:00:13.847263098 CET	50236	445	192.168.2.9	36.17.33.2
Jan 15, 2025 20:00:13.847321987 CET	50260	445	192.168.2.9	67.221.200.2
Jan 15, 2025 20:00:13.847374916 CET	50293	445	192.168.2.9	52.2.231.2
Jan 15, 2025 20:00:13.847415924 CET	50307	445	192.168.2.9	153.98.17.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 19:59:05.511683941 CET	53313	53	192.168.2.9	1.1.1.1
Jan 15, 2025 19:59:05.818049908 CET	53	53313	1.1.1.1	192.168.2.9
Jan 15, 2025 19:59:06.551140070 CET	54183	53	192.168.2.9	1.1.1.1
Jan 15, 2025 19:59:06.879981041 CET	53	54183	1.1.1.1	192.168.2.9
Jan 15, 2025 19:59:54.522543907 CET	138	138	192.168.2.9	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 19:59:05.511683941 CET	192.168.2.9	1.1.1.1	0x5dae	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:59:06.551140070 CET	192.168.2.9	1.1.1.1	0x427f	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 19:58:58.354948044 CET	1.1.1.1	192.168.2.9	0xb436	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 19:58:58.354948044 CET	1.1.1.1	192.168.2.9	0xb436	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:59:05.818049908 CET	1.1.1.1	192.168.2.9	0x5dae	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:59:06.879981041 CET	1.1.1.1	192.168.2.9	0x427f	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 19:59:06.879981041 CET	1.1.1.1	192.168.2.9	0x427f	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49742	103.224.212.215	80	7496	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:59:05.829505920 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 19:59:06.541752100 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 18:59:06 GMT server: Apache set-cookie: __tad=1736967546.4825785; expires=Sat, 13-Jan-2035 18:59:06 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0613-ae2f-1ca90d9c918b content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49748	199.59.243.228	80	7496	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:59:06.886321068 CET	169	OUT	GET /?subid1=20250116-0559-0613-ae2f-1ca90d9c918b HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 19:59:07.348448038 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 18:59:07 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: ad8299c7-89ff-4ec2-bbe2-55e27823d865 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_da1A+ma67Xj9WK5E3f8NGgTIkfX2RWg78ozIm2XgAMLhogINNhZormku7bTSSNR8OhLR5BNXiUKCPTMy1RMXHw== set-cookie: parking_session=ad8299c7-89ff-4ec2-bbe2-55e27823d865; expires=Wed, 15 Jan 2025 19:14:07 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 61 31 41 2b 6d 61 36 37 58 6a 39 57 4b 35 45 33 66 38 4e 47 67 54 49 6b 66 58 32 52 57 67 37 38 6f 7a 49 6d 32 58 67 41 4d 4c 68 6f 67 49 4e 4e 68 5a 6f 72 6d 6b 75 37 62 54 53 53 4e 52 38 4f 68 4c 52 35 42 4e 58 69 55 4b 43 50 54 4d 79 31 52 4d 58 48 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_da1A+ma67Xj9WK5E3f8NGgTIkfX2RWg78ozIm2XgAMLhogINNhZormku7bTSSNR8OhLR5BNXiUKCPTMy1RMXHw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 19:59:07.348469019 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWQ4Mjk5YzctODlmZi00ZWMyLWJiZTItNTVlMjc4MjNkODY1IiwicGFnZV90aW1lIjoxNzM2OTY3NTQ3LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49753	103.224.212.215	80	7604	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:59:07.734153032 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 19:59:08.329915047 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 18:59:08 GMT server: Apache set-cookie: __tad=1736967548.3746821; expires=Sat, 13-Jan-2035 18:59:08 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-089c-93ee-f812d32354a7 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49757	199.59.243.228	80	7604	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:59:08.533899069 CET	169	OUT	GET /?subid1=20250116-0559-089c-93ee-f812d32354a7 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 19:59:08.848803997 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 18:59:08 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 5a886b5f-df32-4c0d-8529-0bc4e30c0328 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_eE+YotMpW0uOJrMIQiPYzr9b3N71HbmILavyieFAsmouoFGroCZ+HY0ysRtFud0nx77plXhrhA11jaRTqdSAQw== set-cookie: parking_session=5a886b5f-df32-4c0d-8529-0bc4e30c0328; expires=Wed, 15 Jan 2025 19:14:08 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 45 2b 59 6f 74 4d 70 57 30 75 4f 4a 72 4d 49 51 69 50 59 7a 72 39 62 33 4e 37 31 48 62 6d 49 4c 61 76 79 69 65 46 41 73 6d 6f 75 6f 46 47 72 6f 43 5a 2b 48 59 30 79 73 52 74 46 75 64 30 6e 78 37 37 70 6c 58 68 72 68 41 31 31 6a 61 52 54 71 64 53 41 51 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_eE+YotMpW0uOJrMIQiPYzr9b3N71HbmILavyieFAsmouoFGroCZ+HY0ysRtFud0nx77plXhrhA11jaRTqdSAQw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 19:59:08.848819971 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWE4ODZiNWYtZGYzMi00YzBkLTg1MjktMGJjNGUzMGMwMzI4IiwicGFnZV90aW1lIjoxNzM2OTY3NTQ4LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49758	103.224.212.215	80	7632	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:59:08.594605923 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736967546.4825785
Jan 15, 2025 19:59:09.044250965 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 18:59:08 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0559-0897-b8cc-09a3c53062af content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49769	199.59.243.228	80	7632	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:59:09.053673029 CET	231	OUT	GET /?subid1=20250116-0559-0897-b8cc-09a3c53062af HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=ad8299c7-89ff-4ec2-bbe2-55e27823d865
Jan 15, 2025 19:59:09.519624949 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 18:59:08 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 1ae13674-f1ef-4131-894b-558b54853eaf cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DBAf2zU7lyRjCOZV5922B/VPKRJtdt6Mu+3Q4R2qIrvyJEkoDYnrTqnNQgRJV5bXMqFcMEEsW25s0rAOXjG2Ew== set-cookie: parking_session=ad8299c7-89ff-4ec2-bbe2-55e27823d865; expires=Wed, 15 Jan 2025 19:14:09 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 42 41 66 32 7a 55 37 6c 79 52 6a 43 4f 5a 56 35 39 32 32 42 2f 56 50 4b 52 4a 74 64 74 36 4d 75 2b 33 51 34 52 32 71 49 72 76 79 4a 45 6b 6f 44 59 6e 72 54 71 6e 4e 51 67 52 4a 56 35 62 58 4d 71 46 63 4d 45 45 73 57 32 35 73 30 72 41 4f 58 6a 47 32 45 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DBAf2zU7lyRjCOZV5922B/VPKRJtdt6Mu+3Q4R2qIrvyJEkoDYnrTqnNQgRJV5bXMqFcMEEsW25s0rAOXjG2Ew==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 19:59:09.519670963 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWQ4Mjk5YzctODlmZi00ZWMyLWJiZTItNTVlMjc4MjNkODY1IiwicGFnZV90aW1lIjoxNzM2OTY3NTQ5LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	13:59:03
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll"
Imagebase:	0x940000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:59:03
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:59:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:59:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\1U9rHEz9Rg.dll,PlayGame
Imagebase:	0x720000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:59:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",#1
Imagebase:	0x720000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:59:04
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	1DA4AA17D6682E2224513E559E86D658
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1365666506.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1365853075.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:59:06
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	1DA4AA17D6682E2224513E559E86D658
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1392320862.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1392456132.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2047532566.00000000023E9000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2047163125.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:59:06
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\1U9rHEz9Rg.dll",PlayGame
Imagebase:	0x720000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:59:07
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	1DA4AA17D6682E2224513E559E86D658
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1395551943.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1414303371.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.1395912911.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.1414468681.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

D, xrefs: 00407ED3
CreateProcessA, xrefs: 00407D07
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
WINDOWS, xrefs: 00407DF2, 00407E0D

Memory Dump Source

Source File: 00000006.00000002.1407869249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1407846952.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407892741.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407967402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1407869249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1407846952.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407892741.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407967402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1407869249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1407846952.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407892741.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407967402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.1407869249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1407846952.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407892741.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407967402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1407869249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1407846952.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407892741.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407913209.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1407967402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1408066147.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 7604, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2046098263.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2046079670.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046116501.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046201748.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046225612.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2046098263.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2046079670.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046116501.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046201748.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046225612.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2046098263.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2046079670.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046116501.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046201748.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046225612.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000008.00000002.2046098263.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2046079670.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046116501.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046201748.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046225612.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2046098263.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2046079670.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046116501.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046134499.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046183269.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046201748.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046225612.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2046317656.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1U9rHEz9Rg.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvc.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
1U9rHEz9Rg.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON