Edit tour

Windows Analysis Report
f5mfkHLLVe.dll

Overview

General Information

Sample name:	f5mfkHLLVe.dll renamed because original name is a hash value
Original sample name:	f4467cf9b7f5c536f0766ac2851b53b7.dll
Analysis ID:	1592051
MD5:	f4467cf9b7f5c536f0766ac2851b53b7
SHA1:	5c64d92015518d307b5e5856bc4e4ced71a08c2b
SHA256:	89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2084 cmdline: loaddll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6508 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 1656 cmdline: rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 5772 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 835246CD3690184218773906A49D8328)

rundll32.exe (PID: 6540 cmdline: rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1948 cmdline: rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 5916 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 835246CD3690184218773906A49D8328)

mssecsvr.exe (PID: 3196 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 835246CD3690184218773906A49D8328)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
f5mfkHLLVe.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
f5mfkHLLVe.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
f5mfkHLLVe.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000000.2185223099.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2160946796.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2189366681.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2205428809.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 5772	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3196	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 5916	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.1d4c084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.22748c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d7e128.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.1d7e128.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22a696c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.22a696c.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d7e128.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d7e128.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.1d7e128.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22a696c.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22a696c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.22a696c.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5b104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5b104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5b104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d5b104.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.2283948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2283948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2283948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2283948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d4c084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d4c084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4c084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22748c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22748c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.22748c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5b104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5b104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5b104.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.227f8e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.227f8e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.227f8e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d570a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d570a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d570a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.2283948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2283948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2283948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:47:15.943539+0100	2803304	3	Unknown Traffic	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-15T17:47:17.538441+0100	2803304	3	Unknown Traffic	192.168.2.6	49712	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:47:15.024089+0100	2830018	1	A Network Trojan was detected	192.168.2.6	53999	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f5mfkHLLVe.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b827f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c58	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b82	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 96%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 96%

Multi AV Scanner detection for submitted file

Source: f5mfkHLLVe.dll	Virustotal: Detection: 94%			Perma Link
Source: f5mfkHLLVe.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f5mfkHLLVe.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: f5mfkHLLVe.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49910 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50263 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50642 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.6:53999 -> 1.1.1.1:53

Source: unknown

Network traffic detected: IP country count 11

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-1541-9f57-da56839b827f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959635.6911048
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-17ae-b188-3b0abf488c58 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49712 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 103.224.212.215:80

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49910 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.133.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-1541-9f57-da56839b827f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959635.6911048
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-17ae-b188-3b0abf488c58 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b82
Source: mssecsvr.exe, 00000008.00000003.2197367859.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c
Source: mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e
Source: f5mfkHLLVe.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/P
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/t
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com5
Source: mssecsvr.exe, 00000008.00000002.2832646077.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50640
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50642
Source: unknown	Network traffic detected: HTTP traffic on port 50263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 50642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 50640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50263 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50642 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: f5mfkHLLVe.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2185223099.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2160946796.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2189366681.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2205428809.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5916, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: f5mfkHLLVe.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: f5mfkHLLVe.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d4c084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22748c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: tasksche.exe.6.dr

Static PE information: No import functions for PE file found

Source: f5mfkHLLVe.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: f5mfkHLLVe.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: f5mfkHLLVe.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d4c084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22748c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: f5mfkHLLVe.dll, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_03

Source: f5mfkHLLVe.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame

Source: f5mfkHLLVe.dll	Virustotal: Detection: 94%
Source: f5mfkHLLVe.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: f5mfkHLLVe.dll

Static file information: File size 5267459 > 1048576

Source: f5mfkHLLVe.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.64063717569669

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 3360	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3360	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 4620	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 4620	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3360	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000006.00000003.2176271509.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2197367859.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2205984720.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp7
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
f5mfkHLLVe.dll	94%	Virustotal		Browse
f5mfkHLLVe.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
f5mfkHLLVe.dll	100%	Avira	TR/AD.WannaCry.zlvlj
f5mfkHLLVe.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b827f	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c58	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b82	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c58	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b827f	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com5	mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	f5mfkHLLVe.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c	mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b82	mssecsvr.exe, 00000006.00000002.2198166396.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2832646077.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%	mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e	mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/t	mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc	mssecsvr.exe, 00000008.00000003.2197367859.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/P	mssecsvr.exe, 00000006.00000002.2198166396.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
152.164.46.1	unknown	United States	701	UUNETUS	false
182.30.213.111	unknown	Indonesia	4795	INDOSATM2-IDINDOSATM2ASNID	false
219.105.215.1	unknown	Japan	4704	SANNETRakutenMobileIncJP	false
154.92.211.86	unknown	Seychelles	22769	DDOSING-BGP-NETWORKUS	false
143.125.156.228	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
219.105.215.2	unknown	Japan	4704	SANNETRakutenMobileIncJP	false
16.50.237.212	unknown	United States	unknown	unknown	false
20.66.242.32	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
79.11.33.150	unknown	Italy	3269	ASN-IBSNAZIT	false
206.65.90.1	unknown	United States	701	UUNETUS	false
145.229.6.225	unknown	United Kingdom	33873	ARVATO-SYSTEMS-ASDE	false
35.145.151.140	unknown	United States	394141	ROCKET-FIBERUS	false
143.125.156.1	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
195.128.239.243	unknown	United Kingdom	24916	ORBITAL-ASNCountyHouseStationApproachGB	false
191.230.113.27	unknown	Brazil	26615	TIMSABR	false
146.245.78.167	unknown	United States	31822	CITY-UNIVERSITY-OF-NEW-YORKUS	false
206.65.90.206	unknown	United States	701	UUNETUS	false
95.128.26.42	unknown	Denmark	198455	I2-HOSTINGDK	false
219.105.215.211	unknown	Japan	4704	SANNETRakutenMobileIncJP	false
202.206.173.165	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
105.213.27.1	unknown	South Africa	16637	MTNNS-ASZA	false
76.104.214.135	unknown	United States	7922	COMCAST-7922US	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592051
Start date and time:	2025-01-15 17:46:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f5mfkHLLVe.dll renamed because original name is a hash value
Original Sample Name:	f4467cf9b7f5c536f0766ac2851b53b7.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 2.17.190.73, 2.22.50.131, 199.232.214.172, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:47:16	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:47:51	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SANNETRakutenMobileIncJP	bot.arm7.elf	Get hash	malicious	Mirai	Browse	157.220.202.165
	i686.elf	Get hash	malicious	Mirai	Browse	157.215.70.22
	i486.elf	Get hash	malicious	Mirai	Browse	157.214.20.146
	m68k.elf	Get hash	malicious	Mirai	Browse	157.219.93.165
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	202.216.21.255
	sh4.elf	Get hash	malicious	Mirai	Browse	157.194.40.21
	spc.elf	Get hash	malicious	Mirai	Browse	157.222.253.23
	ppc.elf	Get hash	malicious	Mirai	Browse	157.215.239.57
	mips.elf	Get hash	malicious	Mirai	Browse	157.215.70.26
	meth8.elf	Get hash	malicious	Mirai	Browse	157.222.228.58
UUNETUS	bot.x86.elf	Get hash	malicious	Unknown	Browse	173.70.19.67
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	72.73.7.152
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	203.102.176.156
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	96.255.184.180
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	193.130.206.250
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	63.21.192.94
	i686.elf	Get hash	malicious	Mirai	Browse	71.183.254.80
	arm5.elf	Get hash	malicious	Mirai	Browse	194.178.167.26
	m68k.elf	Get hash	malicious	Mirai	Browse	152.192.207.194
	xd.arm.elf	Get hash	malicious	Mirai	Browse	146.188.154.125
INDOSATM2-IDINDOSATM2ASNID	bot.arm5.elf	Get hash	malicious	Unknown	Browse	182.24.76.170
	spc.elf	Get hash	malicious	Unknown	Browse	182.27.1.176
	meth14.elf	Get hash	malicious	Mirai	Browse	124.81.164.56
	sora.mips.elf	Get hash	malicious	Unknown	Browse	114.56.64.156
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	182.28.200.241
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	219.83.157.198
	4.elf	Get hash	malicious	Unknown	Browse	124.81.4.59
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	182.28.194.84
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	114.58.228.10
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	182.24.76.182
DDOSING-BGP-NETWORKUS	camp.mips.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.m68k.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.arm.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.ppc.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.mpsl.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.arm7.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.x86_64.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	camp.i686.elf	Get hash	malicious	Mirai	Browse	154.213.187.11
	hikarm4.elf	Get hash	malicious	Unknown	Browse	154.213.187.125
	hikarm7.elf	Get hash	malicious	Mirai	Browse	154.213.187.125

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	173.222.162.64
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#X	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://teiegram-mg.org/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://reviewpolicysocialreach.vercel.app/help&z/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	40.115.3.253
	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	Updater.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	Updater.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	40.115.3.253
	https://pub-2d00d32ff6d84ef6999828eaf509b772.r2.dev/index.html#watson.becky@aidb.org	Get hash	malicious	HTMLPhisher	Browse	40.115.3.253
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	5.221684226784344
Encrypted:	false
SSDEEP:	24576:tihdmMSirYbcMNgef0QeQjG/D8kIqRYo:9MSPbcBVQej/1
MD5:	56000F7FC909094342ED67DF0A55DB32
SHA1:	D38085AC15E01FE6AE5599DBE52840AE10521E77
SHA-256:	5B6516A690ACC5DBDE55832F2D386E868B901A33669458D2FF6CF0499E376299
SHA-512:	3461B8F27FCB74A80F095FAAE8CAB5CD530330AA786AB74CBF3CA900A35C96283F25EFC84DE8C8821394F6A31FD139507322BCBFFD0EA60FB11C87605BF6FA59
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	5.221684226784344
Encrypted:	false
SSDEEP:	24576:tihdmMSirYbcMNgef0QeQjG/D8kIqRYo:9MSPbcBVQej/1
MD5:	56000F7FC909094342ED67DF0A55DB32
SHA1:	D38085AC15E01FE6AE5599DBE52840AE10521E77
SHA-256:	5B6516A690ACC5DBDE55832F2D386E868B901A33669458D2FF6CF0499E376299
SHA-512:	3461B8F27FCB74A80F095FAAE8CAB5CD530330AA786AB74CBF3CA900A35C96283F25EFC84DE8C8821394F6A31FD139507322BCBFFD0EA60FB11C87605BF6FA59
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.6683885199664408
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f5mfkHLLVe.dll
File size:	5'267'459 bytes
MD5:	f4467cf9b7f5c536f0766ac2851b53b7
SHA1:	5c64d92015518d307b5e5856bc4e4ced71a08c2b
SHA256:	89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
SHA512:	3a7bd00462040ed25e29ceef192dfcba74b81811465f5921b0a09deb4b3845e1686ed274ae12568f60ebee6fd9c6dbbc4cfd56a727f944101b1a86a38cc4c4a4
SSDEEP:	24576:RbLgurihdmMSirYbcMNgef0QeQjG/D8kIqRYo:RnnMSPbcBVQej/1
TLSH:	E536239A75AC51F8C2163770A4778E26E1B73C6D21BA9B0F9B808A321C03B55FB54F53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007EFFB4BBC8BBh
cmp dword ptr [10003140h], 00000000h
jmp 00007EFFB4BBC8D8h
cmp esi, 01h
je 00007EFFB4BBC8B7h
cmp esi, 02h
jne 00007EFFB4BBC8D4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007EFFB4BBC8BBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007EFFB4BBC8BEh
push edi
push esi
push ebx
call 00007EFFB4BBC7CAh
test eax, eax
jne 00007EFFB4BBC8B6h
xor eax, eax
jmp 00007EFFB4BBC900h
push edi
push esi
push ebx
call 00007EFFB4BBC67Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007EFFB4BBC8BEh
test eax, eax
jne 00007EFFB4BBC8E9h
push edi
push eax
push ebx
call 00007EFFB4BBC7A6h
test esi, esi
je 00007EFFB4BBC8B7h
cmp esi, 03h
jne 00007EFFB4BBC8D8h
push edi
push esi
push ebx
call 00007EFFB4BBC795h
test eax, eax
jne 00007EFFB4BBC8B5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007EFFB4BBC8C3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007EFFB4BBC8BAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	2e32551df713521a98531cf0531dce4b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8791799545288086

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T17:47:15.024089+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.6	53999	1.1.1.1	53	UDP
2025-01-15T17:47:15.943539+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-15T17:47:17.538441+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49712	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:47:07.428479910 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:07.428492069 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:07.694077969 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:14.058662891 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.058702946 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:14.058763981 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.059792042 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.059809923 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:14.867196083 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:14.867273092 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.872313023 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.872328997 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:14.872586012 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:14.874856949 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.874913931 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.874921083 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:14.875102997 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:14.919341087 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:15.046957016 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:15.047066927 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:15.047122955 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:15.047281027 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:15.047298908 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:15.332046986 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:15.336822987 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:15.336910963 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:15.337708950 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:15.342428923 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:15.943342924 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:15.943416119 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:15.943538904 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:15.995251894 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:16.000200987 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:16.332829952 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.337594032 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:16.337703943 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.337951899 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.342654943 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:16.806006908 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:16.806030035 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:16.806421995 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.813020945 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.813061953 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.818443060 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:16.818490028 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:16.940259933 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:16.945296049 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:16.945367098 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:16.945595980 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:16.950396061 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.037786007 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:17.037800074 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:17.303426981 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:17.374969959 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.379797935 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.379899979 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.380068064 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.384830952 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.538379908 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.538440943 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.538535118 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.538592100 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.542749882 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.545241117 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:17.547499895 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.550139904 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:17.550201893 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:17.550451040 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:17.555228949 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:17.990780115 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.990907907 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.990955114 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.991012096 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.993225098 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 17:47:17.995109081 CET	49715	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:17.998215914 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 17:47:17.999965906 CET	80	49715	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:18.000041962 CET	49715	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.000174046 CET	49715	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.004880905 CET	80	49715	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:18.025686026 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:18.025705099 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:18.025753021 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.025782108 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.031969070 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.032002926 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.065718889 CET	49716	445	192.168.2.6	16.50.237.212
Jan 15, 2025 17:47:18.070645094 CET	445	49716	16.50.237.212	192.168.2.6
Jan 15, 2025 17:47:18.070705891 CET	49716	445	192.168.2.6	16.50.237.212
Jan 15, 2025 17:47:18.070756912 CET	49716	445	192.168.2.6	16.50.237.212
Jan 15, 2025 17:47:18.073668957 CET	49717	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.077326059 CET	445	49716	16.50.237.212	192.168.2.6
Jan 15, 2025 17:47:18.077373028 CET	49716	445	192.168.2.6	16.50.237.212
Jan 15, 2025 17:47:18.078458071 CET	445	49717	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:18.078509092 CET	49717	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.078541994 CET	49717	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.079761028 CET	49718	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.084589005 CET	445	49718	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:18.084671974 CET	49718	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.084815979 CET	49718	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.085035086 CET	445	49717	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:18.085081100 CET	49717	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:18.089585066 CET	445	49718	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:18.495793104 CET	80	49715	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:18.495830059 CET	80	49715	199.59.243.228	192.168.2.6
Jan 15, 2025 17:47:18.495930910 CET	49715	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.560048103 CET	49715	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.560103893 CET	49715	80	192.168.2.6	199.59.243.228
Jan 15, 2025 17:47:18.971364021 CET	443	49705	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:18.971514940 CET	49705	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:20.070311069 CET	49747	445	192.168.2.6	19.64.25.7
Jan 15, 2025 17:47:20.075062990 CET	445	49747	19.64.25.7	192.168.2.6
Jan 15, 2025 17:47:20.075135946 CET	49747	445	192.168.2.6	19.64.25.7
Jan 15, 2025 17:47:20.075176001 CET	49747	445	192.168.2.6	19.64.25.7
Jan 15, 2025 17:47:20.075351954 CET	49748	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.080173016 CET	445	49747	19.64.25.7	192.168.2.6
Jan 15, 2025 17:47:20.080188036 CET	445	49748	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:20.080230951 CET	49747	445	192.168.2.6	19.64.25.7
Jan 15, 2025 17:47:20.080259085 CET	49748	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.080343962 CET	49748	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.081557035 CET	49749	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.085227013 CET	445	49748	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:20.086384058 CET	445	49749	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:20.086440086 CET	49748	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.086482048 CET	49749	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.086528063 CET	49749	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:20.091360092 CET	445	49749	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:22.086287022 CET	49780	445	192.168.2.6	23.60.133.163
Jan 15, 2025 17:47:22.091114044 CET	445	49780	23.60.133.163	192.168.2.6
Jan 15, 2025 17:47:22.091208935 CET	49780	445	192.168.2.6	23.60.133.163
Jan 15, 2025 17:47:22.091285944 CET	49780	445	192.168.2.6	23.60.133.163
Jan 15, 2025 17:47:22.091511965 CET	49781	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.092536926 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.092576981 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:22.092641115 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.093240023 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.093252897 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:22.096211910 CET	445	49780	23.60.133.163	192.168.2.6
Jan 15, 2025 17:47:22.096273899 CET	49780	445	192.168.2.6	23.60.133.163
Jan 15, 2025 17:47:22.096321106 CET	445	49781	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:22.096384048 CET	49781	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.096441031 CET	49781	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.097556114 CET	49783	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.101346970 CET	445	49781	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:22.101407051 CET	49781	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.102365971 CET	445	49783	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:22.102432013 CET	49783	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.102477074 CET	49783	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:22.107307911 CET	445	49783	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:22.909070969 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:22.909171104 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.911540031 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.911549091 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:22.911791086 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:22.914047003 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.914104939 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.914113998 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:22.914407969 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:22.955327034 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:23.090240955 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:23.090361118 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:23.090907097 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:23.102838039 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:23.102870941 CET	443	49782	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:23.102907896 CET	49782	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:24.102642059 CET	49821	445	192.168.2.6	219.105.215.211
Jan 15, 2025 17:47:24.108201027 CET	445	49821	219.105.215.211	192.168.2.6
Jan 15, 2025 17:47:24.108311892 CET	49821	445	192.168.2.6	219.105.215.211
Jan 15, 2025 17:47:24.108354092 CET	49821	445	192.168.2.6	219.105.215.211
Jan 15, 2025 17:47:24.108624935 CET	49822	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.114541054 CET	445	49821	219.105.215.211	192.168.2.6
Jan 15, 2025 17:47:24.114605904 CET	49821	445	192.168.2.6	219.105.215.211
Jan 15, 2025 17:47:24.114768028 CET	445	49822	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:24.114842892 CET	49822	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.114881992 CET	49822	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.116183043 CET	49823	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.121017933 CET	445	49823	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:24.121103048 CET	49823	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.121176004 CET	49823	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.122598886 CET	445	49822	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:24.122668982 CET	49822	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:24.125966072 CET	445	49823	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:26.117052078 CET	49855	445	192.168.2.6	146.131.129.220
Jan 15, 2025 17:47:26.121926069 CET	445	49855	146.131.129.220	192.168.2.6
Jan 15, 2025 17:47:26.122029066 CET	49855	445	192.168.2.6	146.131.129.220
Jan 15, 2025 17:47:26.122067928 CET	49855	445	192.168.2.6	146.131.129.220
Jan 15, 2025 17:47:26.122226954 CET	49856	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.127130032 CET	445	49856	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:26.127161980 CET	445	49855	146.131.129.220	192.168.2.6
Jan 15, 2025 17:47:26.127202988 CET	49856	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.127234936 CET	49855	445	192.168.2.6	146.131.129.220
Jan 15, 2025 17:47:26.127326012 CET	49856	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.128365993 CET	49857	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.132214069 CET	445	49856	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:26.132276058 CET	49856	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.133219004 CET	445	49857	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:26.133290052 CET	49857	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.133357048 CET	49857	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:26.138194084 CET	445	49857	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:28.134660006 CET	49895	445	192.168.2.6	20.66.242.32
Jan 15, 2025 17:47:28.139447927 CET	445	49895	20.66.242.32	192.168.2.6
Jan 15, 2025 17:47:28.139550924 CET	49895	445	192.168.2.6	20.66.242.32
Jan 15, 2025 17:47:28.139589071 CET	49895	445	192.168.2.6	20.66.242.32
Jan 15, 2025 17:47:28.139801025 CET	49896	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.144512892 CET	445	49895	20.66.242.32	192.168.2.6
Jan 15, 2025 17:47:28.144543886 CET	445	49896	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:28.144592047 CET	49895	445	192.168.2.6	20.66.242.32
Jan 15, 2025 17:47:28.144632101 CET	49896	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.144702911 CET	49896	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.145739079 CET	49897	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.149554014 CET	445	49896	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:28.149610043 CET	49896	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.150552034 CET	445	49897	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:28.150614977 CET	49897	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.150696993 CET	49897	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:28.155411959 CET	445	49897	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:28.672343969 CET	49705	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:28.672569036 CET	49705	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:28.672864914 CET	49910	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:28.672925949 CET	443	49910	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:28.673000097 CET	49910	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:28.673326015 CET	49910	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:28.673345089 CET	443	49910	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:28.677135944 CET	443	49705	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:28.677284002 CET	443	49705	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:29.270440102 CET	443	49910	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:29.270515919 CET	49910	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:30.149133921 CET	49932	445	192.168.2.6	123.192.157.165
Jan 15, 2025 17:47:30.154208899 CET	445	49932	123.192.157.165	192.168.2.6
Jan 15, 2025 17:47:30.156364918 CET	49932	445	192.168.2.6	123.192.157.165
Jan 15, 2025 17:47:30.159269094 CET	49932	445	192.168.2.6	123.192.157.165
Jan 15, 2025 17:47:30.159516096 CET	49933	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.164104939 CET	445	49932	123.192.157.165	192.168.2.6
Jan 15, 2025 17:47:30.164172888 CET	49932	445	192.168.2.6	123.192.157.165
Jan 15, 2025 17:47:30.164721966 CET	445	49933	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:30.164782047 CET	49933	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.164876938 CET	49933	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.165265083 CET	49935	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.169894934 CET	445	49933	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:30.170002937 CET	49933	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.170146942 CET	445	49935	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:30.170203924 CET	49935	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.170232058 CET	49935	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:30.175019026 CET	445	49935	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:32.163191080 CET	49970	445	192.168.2.6	40.1.60.211
Jan 15, 2025 17:47:32.167960882 CET	445	49970	40.1.60.211	192.168.2.6
Jan 15, 2025 17:47:32.168019056 CET	49970	445	192.168.2.6	40.1.60.211
Jan 15, 2025 17:47:32.168044090 CET	49970	445	192.168.2.6	40.1.60.211
Jan 15, 2025 17:47:32.168186903 CET	49971	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.172959089 CET	445	49971	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:32.172970057 CET	445	49970	40.1.60.211	192.168.2.6
Jan 15, 2025 17:47:32.173036098 CET	49970	445	192.168.2.6	40.1.60.211
Jan 15, 2025 17:47:32.173052073 CET	49971	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.173155069 CET	49971	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.173430920 CET	49972	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.178030014 CET	445	49971	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:32.178077936 CET	49971	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.178219080 CET	445	49972	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:32.178277969 CET	49972	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.178306103 CET	49972	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:32.183034897 CET	445	49972	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:34.179055929 CET	50005	445	192.168.2.6	14.222.195.122
Jan 15, 2025 17:47:34.184484005 CET	445	50005	14.222.195.122	192.168.2.6
Jan 15, 2025 17:47:34.184612989 CET	50005	445	192.168.2.6	14.222.195.122
Jan 15, 2025 17:47:34.184640884 CET	50005	445	192.168.2.6	14.222.195.122
Jan 15, 2025 17:47:34.184746027 CET	50006	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.190301895 CET	445	50005	14.222.195.122	192.168.2.6
Jan 15, 2025 17:47:34.190388918 CET	50005	445	192.168.2.6	14.222.195.122
Jan 15, 2025 17:47:34.190737963 CET	445	50006	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:34.190807104 CET	50006	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.190834999 CET	50006	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.191288948 CET	50007	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.196835995 CET	445	50007	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:34.196919918 CET	445	50006	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:34.196938992 CET	50007	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.196971893 CET	50006	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.197058916 CET	50007	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:34.201812029 CET	445	50007	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:34.764955044 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:34.764995098 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:34.765086889 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:34.765642881 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:34.765660048 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.557648897 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.557738066 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.564352036 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.564385891 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.564574957 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.566706896 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.566754103 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.566759109 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.566914082 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.607335091 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.738528013 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.738624096 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:35.738686085 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.738900900 CET	50020	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:35.738924026 CET	443	50020	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:36.194664955 CET	50044	445	192.168.2.6	206.65.90.206
Jan 15, 2025 17:47:36.199528933 CET	445	50044	206.65.90.206	192.168.2.6
Jan 15, 2025 17:47:36.199609995 CET	50044	445	192.168.2.6	206.65.90.206
Jan 15, 2025 17:47:36.199687958 CET	50044	445	192.168.2.6	206.65.90.206
Jan 15, 2025 17:47:36.199881077 CET	50045	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.204524994 CET	445	50044	206.65.90.206	192.168.2.6
Jan 15, 2025 17:47:36.204585075 CET	50044	445	192.168.2.6	206.65.90.206
Jan 15, 2025 17:47:36.204627991 CET	445	50045	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:36.204689980 CET	50045	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.204720020 CET	50045	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.204986095 CET	50046	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.209732056 CET	445	50045	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:36.209779024 CET	50045	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.209813118 CET	445	50046	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:36.209868908 CET	50046	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.209906101 CET	50046	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:36.214699030 CET	445	50046	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:38.210134983 CET	50079	445	192.168.2.6	35.145.151.140
Jan 15, 2025 17:47:38.215064049 CET	445	50079	35.145.151.140	192.168.2.6
Jan 15, 2025 17:47:38.215157986 CET	50079	445	192.168.2.6	35.145.151.140
Jan 15, 2025 17:47:38.215341091 CET	50079	445	192.168.2.6	35.145.151.140
Jan 15, 2025 17:47:38.215559006 CET	50080	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.220304966 CET	445	50079	35.145.151.140	192.168.2.6
Jan 15, 2025 17:47:38.220365047 CET	50079	445	192.168.2.6	35.145.151.140
Jan 15, 2025 17:47:38.220433950 CET	445	50080	35.145.151.1	192.168.2.6
Jan 15, 2025 17:47:38.220499039 CET	50080	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.220532894 CET	50080	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.220827103 CET	50081	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.225435019 CET	445	50080	35.145.151.1	192.168.2.6
Jan 15, 2025 17:47:38.225491047 CET	50080	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.225670099 CET	445	50081	35.145.151.1	192.168.2.6
Jan 15, 2025 17:47:38.225739002 CET	50081	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.225795031 CET	50081	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:38.230663061 CET	445	50081	35.145.151.1	192.168.2.6
Jan 15, 2025 17:47:39.436357975 CET	445	49718	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:39.436455011 CET	49718	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:39.439452887 CET	49718	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:39.439565897 CET	49718	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:39.444221973 CET	445	49718	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:39.444312096 CET	445	49718	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:40.225577116 CET	50119	445	192.168.2.6	105.213.27.237
Jan 15, 2025 17:47:40.230397940 CET	445	50119	105.213.27.237	192.168.2.6
Jan 15, 2025 17:47:40.230495930 CET	50119	445	192.168.2.6	105.213.27.237
Jan 15, 2025 17:47:40.230496883 CET	50119	445	192.168.2.6	105.213.27.237
Jan 15, 2025 17:47:40.230590105 CET	50120	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.235356092 CET	445	50120	105.213.27.1	192.168.2.6
Jan 15, 2025 17:47:40.235430002 CET	50120	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.235440969 CET	50120	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.235649109 CET	445	50119	105.213.27.237	192.168.2.6
Jan 15, 2025 17:47:40.235707045 CET	50119	445	192.168.2.6	105.213.27.237
Jan 15, 2025 17:47:40.235913992 CET	50121	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.240361929 CET	445	50120	105.213.27.1	192.168.2.6
Jan 15, 2025 17:47:40.240433931 CET	50120	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.240727901 CET	445	50121	105.213.27.1	192.168.2.6
Jan 15, 2025 17:47:40.240792036 CET	50121	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.240839958 CET	50121	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:47:40.245544910 CET	445	50121	105.213.27.1	192.168.2.6
Jan 15, 2025 17:47:41.456386089 CET	445	49749	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:41.456448078 CET	49749	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:41.456491947 CET	49749	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:41.456577063 CET	49749	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:41.461314917 CET	445	49749	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:41.461337090 CET	445	49749	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:42.241414070 CET	50154	445	192.168.2.6	152.164.46.230
Jan 15, 2025 17:47:42.246299028 CET	445	50154	152.164.46.230	192.168.2.6
Jan 15, 2025 17:47:42.246392012 CET	50154	445	192.168.2.6	152.164.46.230
Jan 15, 2025 17:47:42.246392012 CET	50154	445	192.168.2.6	152.164.46.230
Jan 15, 2025 17:47:42.246505976 CET	50155	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.251291037 CET	445	50155	152.164.46.1	192.168.2.6
Jan 15, 2025 17:47:42.251342058 CET	445	50154	152.164.46.230	192.168.2.6
Jan 15, 2025 17:47:42.251359940 CET	50155	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.251374006 CET	50155	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.251389027 CET	50154	445	192.168.2.6	152.164.46.230
Jan 15, 2025 17:47:42.251660109 CET	50156	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.256333113 CET	445	50155	152.164.46.1	192.168.2.6
Jan 15, 2025 17:47:42.256413937 CET	50155	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.256421089 CET	445	50156	152.164.46.1	192.168.2.6
Jan 15, 2025 17:47:42.256479025 CET	50156	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.256504059 CET	50156	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:47:42.261293888 CET	445	50156	152.164.46.1	192.168.2.6
Jan 15, 2025 17:47:42.444283009 CET	50162	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:42.449139118 CET	445	50162	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:42.449203968 CET	50162	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:42.449250937 CET	50162	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:47:42.454035997 CET	445	50162	16.50.237.1	192.168.2.6
Jan 15, 2025 17:47:43.501262903 CET	445	49783	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:43.501395941 CET	49783	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:43.501471043 CET	49783	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:43.501554966 CET	49783	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:43.506230116 CET	445	49783	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:43.506330013 CET	445	49783	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:44.259543896 CET	50174	445	192.168.2.6	145.229.6.225
Jan 15, 2025 17:47:44.264316082 CET	445	50174	145.229.6.225	192.168.2.6
Jan 15, 2025 17:47:44.264386892 CET	50174	445	192.168.2.6	145.229.6.225
Jan 15, 2025 17:47:44.264453888 CET	50174	445	192.168.2.6	145.229.6.225
Jan 15, 2025 17:47:44.264594078 CET	50175	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.269359112 CET	445	50175	145.229.6.1	192.168.2.6
Jan 15, 2025 17:47:44.269416094 CET	50175	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.269431114 CET	50175	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.269510031 CET	445	50174	145.229.6.225	192.168.2.6
Jan 15, 2025 17:47:44.269584894 CET	50174	445	192.168.2.6	145.229.6.225
Jan 15, 2025 17:47:44.269973040 CET	50176	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.275908947 CET	445	50175	145.229.6.1	192.168.2.6
Jan 15, 2025 17:47:44.275963068 CET	50175	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.276240110 CET	445	50176	145.229.6.1	192.168.2.6
Jan 15, 2025 17:47:44.276372910 CET	50176	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.276431084 CET	50176	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:47:44.282773018 CET	445	50176	145.229.6.1	192.168.2.6
Jan 15, 2025 17:47:44.460148096 CET	50177	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:44.464992046 CET	445	50177	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:44.465084076 CET	50177	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:44.465140104 CET	50177	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:47:44.469928026 CET	445	50177	19.64.25.1	192.168.2.6
Jan 15, 2025 17:47:45.499557972 CET	445	49823	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:45.499689102 CET	49823	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:45.499747038 CET	49823	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:45.499793053 CET	49823	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:45.504632950 CET	445	49823	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:45.504662991 CET	445	49823	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:46.273129940 CET	50190	445	192.168.2.6	191.230.113.27
Jan 15, 2025 17:47:46.278258085 CET	445	50190	191.230.113.27	192.168.2.6
Jan 15, 2025 17:47:46.278487921 CET	50190	445	192.168.2.6	191.230.113.27
Jan 15, 2025 17:47:46.278703928 CET	50190	445	192.168.2.6	191.230.113.27
Jan 15, 2025 17:47:46.279202938 CET	50191	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.283638000 CET	445	50190	191.230.113.27	192.168.2.6
Jan 15, 2025 17:47:46.283725023 CET	50190	445	192.168.2.6	191.230.113.27
Jan 15, 2025 17:47:46.284037113 CET	445	50191	191.230.113.1	192.168.2.6
Jan 15, 2025 17:47:46.284113884 CET	50191	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.284152031 CET	50191	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.284507990 CET	50192	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.289196968 CET	445	50191	191.230.113.1	192.168.2.6
Jan 15, 2025 17:47:46.289307117 CET	50191	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.289371967 CET	445	50192	191.230.113.1	192.168.2.6
Jan 15, 2025 17:47:46.289443970 CET	50192	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.289485931 CET	50192	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:47:46.294265985 CET	445	50192	191.230.113.1	192.168.2.6
Jan 15, 2025 17:47:46.506903887 CET	50196	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:46.511946917 CET	445	50196	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:46.512960911 CET	50196	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:46.513041019 CET	50196	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:47:46.517896891 CET	445	50196	23.60.133.1	192.168.2.6
Jan 15, 2025 17:47:47.530986071 CET	445	49857	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:47.531106949 CET	49857	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:47.531311035 CET	49857	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:47.531616926 CET	49857	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:47.536192894 CET	445	49857	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:47.536370993 CET	445	49857	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:48.288444042 CET	50206	445	192.168.2.6	198.0.119.77
Jan 15, 2025 17:47:48.299256086 CET	445	50206	198.0.119.77	192.168.2.6
Jan 15, 2025 17:47:48.299459934 CET	50206	445	192.168.2.6	198.0.119.77
Jan 15, 2025 17:47:48.299587965 CET	50206	445	192.168.2.6	198.0.119.77
Jan 15, 2025 17:47:48.299681902 CET	50207	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.304888964 CET	445	50207	198.0.119.1	192.168.2.6
Jan 15, 2025 17:47:48.304964066 CET	50207	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.304991961 CET	445	50206	198.0.119.77	192.168.2.6
Jan 15, 2025 17:47:48.305075884 CET	50207	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.305105925 CET	50206	445	192.168.2.6	198.0.119.77
Jan 15, 2025 17:47:48.305344105 CET	50209	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.309982061 CET	445	50207	198.0.119.1	192.168.2.6
Jan 15, 2025 17:47:48.310158014 CET	445	50209	198.0.119.1	192.168.2.6
Jan 15, 2025 17:47:48.310219049 CET	50207	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.310235977 CET	50209	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.310260057 CET	50209	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:47:48.315088034 CET	445	50209	198.0.119.1	192.168.2.6
Jan 15, 2025 17:47:48.424825907 CET	443	49910	173.222.162.64	192.168.2.6
Jan 15, 2025 17:47:48.424901009 CET	49910	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:47:48.534585953 CET	50210	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:48.539442062 CET	445	50210	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:48.539525032 CET	50210	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:48.564321041 CET	50210	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:47:48.569124937 CET	445	50210	219.105.215.1	192.168.2.6
Jan 15, 2025 17:47:49.530888081 CET	445	49897	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:49.530999899 CET	49897	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:49.531161070 CET	49897	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:49.531240940 CET	49897	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:49.535944939 CET	445	49897	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:49.535983086 CET	445	49897	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:50.303927898 CET	50223	445	192.168.2.6	95.128.26.42
Jan 15, 2025 17:47:50.308775902 CET	445	50223	95.128.26.42	192.168.2.6
Jan 15, 2025 17:47:50.308861971 CET	50223	445	192.168.2.6	95.128.26.42
Jan 15, 2025 17:47:50.308917046 CET	50223	445	192.168.2.6	95.128.26.42
Jan 15, 2025 17:47:50.309036970 CET	50224	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.313874960 CET	445	50224	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:50.313957930 CET	445	50223	95.128.26.42	192.168.2.6
Jan 15, 2025 17:47:50.313961983 CET	50224	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.313961983 CET	50224	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.314116001 CET	50223	445	192.168.2.6	95.128.26.42
Jan 15, 2025 17:47:50.314300060 CET	50225	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.318873882 CET	445	50224	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:50.318932056 CET	50224	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.319087029 CET	445	50225	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:50.319170952 CET	50225	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.319195986 CET	50225	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:50.323982954 CET	445	50225	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:50.538151026 CET	50228	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:50.543055058 CET	445	50228	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:50.544909000 CET	50228	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:50.544955015 CET	50228	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:47:50.549701929 CET	445	50228	146.131.129.1	192.168.2.6
Jan 15, 2025 17:47:51.536462069 CET	445	49935	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:51.536549091 CET	49935	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:51.536590099 CET	49935	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:51.536612988 CET	49935	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:51.541488886 CET	445	49935	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:51.541518927 CET	445	49935	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:52.006678104 CET	445	50225	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:52.006742001 CET	50225	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:52.006762028 CET	50225	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:52.006802082 CET	50225	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:52.011584997 CET	445	50225	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:52.011627913 CET	445	50225	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:52.319634914 CET	50240	445	192.168.2.6	103.73.95.239
Jan 15, 2025 17:47:52.324466944 CET	445	50240	103.73.95.239	192.168.2.6
Jan 15, 2025 17:47:52.324562073 CET	50240	445	192.168.2.6	103.73.95.239
Jan 15, 2025 17:47:52.324579954 CET	50240	445	192.168.2.6	103.73.95.239
Jan 15, 2025 17:47:52.324671030 CET	50241	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.329422951 CET	445	50241	103.73.95.1	192.168.2.6
Jan 15, 2025 17:47:52.329487085 CET	50241	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.329504967 CET	50241	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.329615116 CET	445	50240	103.73.95.239	192.168.2.6
Jan 15, 2025 17:47:52.329658985 CET	50240	445	192.168.2.6	103.73.95.239
Jan 15, 2025 17:47:52.329812050 CET	50242	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.334434986 CET	445	50241	103.73.95.1	192.168.2.6
Jan 15, 2025 17:47:52.334491014 CET	50241	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.334611893 CET	445	50242	103.73.95.1	192.168.2.6
Jan 15, 2025 17:47:52.334682941 CET	50242	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.334698915 CET	50242	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:47:52.339430094 CET	445	50242	103.73.95.1	192.168.2.6
Jan 15, 2025 17:47:52.538197994 CET	50245	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:52.543138027 CET	445	50245	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:52.543237925 CET	50245	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:52.543281078 CET	50245	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:47:52.548018932 CET	445	50245	20.66.242.1	192.168.2.6
Jan 15, 2025 17:47:53.548300982 CET	445	49972	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:53.548401117 CET	49972	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:53.548460960 CET	49972	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:53.548521042 CET	49972	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:53.553296089 CET	445	49972	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:53.553327084 CET	445	49972	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:54.194544077 CET	50257	445	192.168.2.6	143.125.156.228
Jan 15, 2025 17:47:54.199379921 CET	445	50257	143.125.156.228	192.168.2.6
Jan 15, 2025 17:47:54.199459076 CET	50257	445	192.168.2.6	143.125.156.228
Jan 15, 2025 17:47:54.199553013 CET	50257	445	192.168.2.6	143.125.156.228
Jan 15, 2025 17:47:54.199790955 CET	50258	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.204400063 CET	445	50257	143.125.156.228	192.168.2.6
Jan 15, 2025 17:47:54.204458952 CET	50257	445	192.168.2.6	143.125.156.228
Jan 15, 2025 17:47:54.204603910 CET	445	50258	143.125.156.1	192.168.2.6
Jan 15, 2025 17:47:54.204665899 CET	50258	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.204684973 CET	50258	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.205089092 CET	50259	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.209680080 CET	445	50258	143.125.156.1	192.168.2.6
Jan 15, 2025 17:47:54.209736109 CET	50258	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.209990978 CET	445	50259	143.125.156.1	192.168.2.6
Jan 15, 2025 17:47:54.210128069 CET	50259	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.210128069 CET	50259	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:47:54.214987993 CET	445	50259	143.125.156.1	192.168.2.6
Jan 15, 2025 17:47:54.540606976 CET	50261	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:54.545567036 CET	445	50261	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:54.545633078 CET	50261	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:54.545694113 CET	50261	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:47:54.550494909 CET	445	50261	123.192.157.1	192.168.2.6
Jan 15, 2025 17:47:54.640305996 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:54.640336037 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:54.640431881 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:54.641005993 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:54.641022921 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.022392035 CET	50267	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:55.027182102 CET	445	50267	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:55.027259111 CET	50267	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:55.027271032 CET	50267	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:55.032113075 CET	445	50267	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:55.458267927 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.458333015 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.459862947 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.459873915 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.460102081 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.461654902 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.461710930 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.461716890 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.461834908 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.503334999 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.567842960 CET	445	50007	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:55.569056988 CET	50007	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:55.569077969 CET	50007	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:55.569123983 CET	50007	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:55.574023962 CET	445	50007	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:55.574055910 CET	445	50007	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:55.633853912 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.633955002 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.634038925 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.634336948 CET	50263	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:47:55.634356976 CET	443	50263	40.115.3.253	192.168.2.6
Jan 15, 2025 17:47:55.944686890 CET	50274	445	192.168.2.6	146.245.78.167
Jan 15, 2025 17:47:55.949584007 CET	445	50274	146.245.78.167	192.168.2.6
Jan 15, 2025 17:47:55.952382088 CET	50274	445	192.168.2.6	146.245.78.167
Jan 15, 2025 17:47:55.953856945 CET	50274	445	192.168.2.6	146.245.78.167
Jan 15, 2025 17:47:55.954168081 CET	50275	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.958640099 CET	445	50274	146.245.78.167	192.168.2.6
Jan 15, 2025 17:47:55.958822966 CET	50274	445	192.168.2.6	146.245.78.167
Jan 15, 2025 17:47:55.958986998 CET	445	50275	146.245.78.1	192.168.2.6
Jan 15, 2025 17:47:55.959048986 CET	50275	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.959074020 CET	50275	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.959372044 CET	50276	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.964231968 CET	445	50276	146.245.78.1	192.168.2.6
Jan 15, 2025 17:47:55.964301109 CET	50276	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.964319944 CET	50276	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.964854956 CET	445	50275	146.245.78.1	192.168.2.6
Jan 15, 2025 17:47:55.964905024 CET	50275	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:47:55.969099998 CET	445	50276	146.245.78.1	192.168.2.6
Jan 15, 2025 17:47:56.553643942 CET	50281	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:56.558490038 CET	445	50281	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:56.558563948 CET	50281	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:56.558578968 CET	50281	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:47:56.563986063 CET	445	50281	40.1.60.1	192.168.2.6
Jan 15, 2025 17:47:56.707154989 CET	445	50267	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:56.707220078 CET	50267	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:56.707247972 CET	50267	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:56.707277060 CET	50267	445	192.168.2.6	95.128.26.1
Jan 15, 2025 17:47:56.712070942 CET	445	50267	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:56.712085009 CET	445	50267	95.128.26.1	192.168.2.6
Jan 15, 2025 17:47:56.772620916 CET	50283	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.777429104 CET	445	50283	95.128.26.2	192.168.2.6
Jan 15, 2025 17:47:56.777528048 CET	50283	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.777606010 CET	50283	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.778100967 CET	50284	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.782546997 CET	445	50283	95.128.26.2	192.168.2.6
Jan 15, 2025 17:47:56.782609940 CET	50283	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.782928944 CET	445	50284	95.128.26.2	192.168.2.6
Jan 15, 2025 17:47:56.782996893 CET	50284	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.783031940 CET	50284	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:47:56.787817001 CET	445	50284	95.128.26.2	192.168.2.6
Jan 15, 2025 17:47:57.577913046 CET	445	50046	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:57.578022003 CET	50046	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:57.578022003 CET	50046	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:57.578110933 CET	50046	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:47:57.582921028 CET	445	50046	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:57.582935095 CET	445	50046	206.65.90.1	192.168.2.6
Jan 15, 2025 17:47:57.585118055 CET	50290	445	192.168.2.6	76.104.214.135
Jan 15, 2025 17:47:57.590065956 CET	445	50290	76.104.214.135	192.168.2.6
Jan 15, 2025 17:47:57.590131998 CET	50290	445	192.168.2.6	76.104.214.135
Jan 15, 2025 17:47:57.590167999 CET	50290	445	192.168.2.6	76.104.214.135
Jan 15, 2025 17:47:57.590349913 CET	50291	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.595208883 CET	445	50290	76.104.214.135	192.168.2.6
Jan 15, 2025 17:47:57.595223904 CET	445	50291	76.104.214.1	192.168.2.6
Jan 15, 2025 17:47:57.595268965 CET	50290	445	192.168.2.6	76.104.214.135
Jan 15, 2025 17:47:57.595303059 CET	50291	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.595370054 CET	50291	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.595618963 CET	50292	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.600367069 CET	445	50291	76.104.214.1	192.168.2.6
Jan 15, 2025 17:47:57.600397110 CET	445	50292	76.104.214.1	192.168.2.6
Jan 15, 2025 17:47:57.600433111 CET	50291	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.600475073 CET	50292	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.600476027 CET	50292	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:47:57.605283022 CET	445	50292	76.104.214.1	192.168.2.6
Jan 15, 2025 17:47:58.584971905 CET	50300	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:58.590234995 CET	445	50300	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:58.590312958 CET	50300	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:58.590348959 CET	50300	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:47:58.595149994 CET	445	50300	14.222.195.1	192.168.2.6
Jan 15, 2025 17:47:59.116605043 CET	50303	445	192.168.2.6	24.191.188.106
Jan 15, 2025 17:47:59.159652948 CET	445	50303	24.191.188.106	192.168.2.6
Jan 15, 2025 17:47:59.159832954 CET	50303	445	192.168.2.6	24.191.188.106
Jan 15, 2025 17:47:59.159832954 CET	50303	445	192.168.2.6	24.191.188.106
Jan 15, 2025 17:47:59.160046101 CET	50304	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.164777994 CET	445	50303	24.191.188.106	192.168.2.6
Jan 15, 2025 17:47:59.164834023 CET	50303	445	192.168.2.6	24.191.188.106
Jan 15, 2025 17:47:59.164892912 CET	445	50304	24.191.188.1	192.168.2.6
Jan 15, 2025 17:47:59.164952993 CET	50304	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.164994001 CET	50304	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.165255070 CET	50305	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.169955015 CET	445	50304	24.191.188.1	192.168.2.6
Jan 15, 2025 17:47:59.170039892 CET	50304	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.170079947 CET	445	50305	24.191.188.1	192.168.2.6
Jan 15, 2025 17:47:59.170160055 CET	50305	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.170201063 CET	50305	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:47:59.174926996 CET	445	50305	24.191.188.1	192.168.2.6
Jan 15, 2025 17:47:59.597434998 CET	445	50081	35.145.151.1	192.168.2.6
Jan 15, 2025 17:47:59.597549915 CET	50081	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:59.597604036 CET	50081	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:59.597659111 CET	50081	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:47:59.602493048 CET	445	50081	35.145.151.1	192.168.2.6
Jan 15, 2025 17:47:59.602509022 CET	445	50081	35.145.151.1	192.168.2.6
Jan 15, 2025 17:48:00.540724993 CET	50315	445	192.168.2.6	195.128.239.243
Jan 15, 2025 17:48:00.545813084 CET	445	50315	195.128.239.243	192.168.2.6
Jan 15, 2025 17:48:00.545890093 CET	50315	445	192.168.2.6	195.128.239.243
Jan 15, 2025 17:48:00.545943022 CET	50315	445	192.168.2.6	195.128.239.243
Jan 15, 2025 17:48:00.546062946 CET	50316	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.551007032 CET	445	50316	195.128.239.1	192.168.2.6
Jan 15, 2025 17:48:00.551021099 CET	445	50315	195.128.239.243	192.168.2.6
Jan 15, 2025 17:48:00.551069975 CET	50316	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.551100016 CET	50315	445	192.168.2.6	195.128.239.243
Jan 15, 2025 17:48:00.551168919 CET	50316	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.551426888 CET	50317	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.556019068 CET	445	50316	195.128.239.1	192.168.2.6
Jan 15, 2025 17:48:00.556080103 CET	50316	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.556452990 CET	445	50317	195.128.239.1	192.168.2.6
Jan 15, 2025 17:48:00.556509018 CET	50317	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.556540966 CET	50317	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:00.561331987 CET	445	50317	195.128.239.1	192.168.2.6
Jan 15, 2025 17:48:00.584872961 CET	50318	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:48:00.589903116 CET	445	50318	206.65.90.1	192.168.2.6
Jan 15, 2025 17:48:00.590104103 CET	50318	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:48:00.590147018 CET	50318	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:48:00.594926119 CET	445	50318	206.65.90.1	192.168.2.6
Jan 15, 2025 17:48:01.594402075 CET	445	50121	105.213.27.1	192.168.2.6
Jan 15, 2025 17:48:01.594559908 CET	50121	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:01.594594002 CET	50121	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:01.594623089 CET	50121	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:01.599385023 CET	445	50121	105.213.27.1	192.168.2.6
Jan 15, 2025 17:48:01.599411964 CET	445	50121	105.213.27.1	192.168.2.6
Jan 15, 2025 17:48:01.866652012 CET	50324	445	192.168.2.6	202.206.173.165
Jan 15, 2025 17:48:01.871479988 CET	445	50324	202.206.173.165	192.168.2.6
Jan 15, 2025 17:48:01.871547937 CET	50324	445	192.168.2.6	202.206.173.165
Jan 15, 2025 17:48:01.871565104 CET	50324	445	192.168.2.6	202.206.173.165
Jan 15, 2025 17:48:01.871761084 CET	50325	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.876555920 CET	445	50324	202.206.173.165	192.168.2.6
Jan 15, 2025 17:48:01.876588106 CET	445	50325	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:01.876606941 CET	50324	445	192.168.2.6	202.206.173.165
Jan 15, 2025 17:48:01.876663923 CET	50325	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.876745939 CET	50325	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.877048016 CET	50326	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.881686926 CET	445	50325	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:01.881745100 CET	50325	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.881880999 CET	445	50326	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:01.881936073 CET	50326	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.881958008 CET	50326	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:01.886769056 CET	445	50326	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:02.600725889 CET	50330	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:48:02.606215954 CET	445	50330	35.145.151.1	192.168.2.6
Jan 15, 2025 17:48:02.606331110 CET	50330	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:48:02.606467009 CET	50330	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:48:02.611296892 CET	445	50330	35.145.151.1	192.168.2.6
Jan 15, 2025 17:48:03.116358042 CET	50333	445	192.168.2.6	72.37.75.129
Jan 15, 2025 17:48:03.121277094 CET	445	50333	72.37.75.129	192.168.2.6
Jan 15, 2025 17:48:03.121340036 CET	50333	445	192.168.2.6	72.37.75.129
Jan 15, 2025 17:48:03.121398926 CET	50333	445	192.168.2.6	72.37.75.129
Jan 15, 2025 17:48:03.121566057 CET	50334	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.126367092 CET	445	50334	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:03.126425028 CET	50334	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.126445055 CET	445	50333	72.37.75.129	192.168.2.6
Jan 15, 2025 17:48:03.126463890 CET	50334	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.126490116 CET	50333	445	192.168.2.6	72.37.75.129
Jan 15, 2025 17:48:03.126740932 CET	50335	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.131469965 CET	445	50334	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:03.131535053 CET	50334	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.131576061 CET	445	50335	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:03.131622076 CET	50335	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.131675959 CET	50335	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:03.136514902 CET	445	50335	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:03.625701904 CET	445	50156	152.164.46.1	192.168.2.6
Jan 15, 2025 17:48:03.625786066 CET	50156	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:03.625827074 CET	50156	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:03.625885963 CET	50156	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:03.630575895 CET	445	50156	152.164.46.1	192.168.2.6
Jan 15, 2025 17:48:03.630597115 CET	445	50156	152.164.46.1	192.168.2.6
Jan 15, 2025 17:48:03.796750069 CET	445	50162	16.50.237.1	192.168.2.6
Jan 15, 2025 17:48:03.796871901 CET	50162	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:48:03.796915054 CET	50162	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:48:03.796989918 CET	50162	445	192.168.2.6	16.50.237.1
Jan 15, 2025 17:48:03.801685095 CET	445	50162	16.50.237.1	192.168.2.6
Jan 15, 2025 17:48:03.801728964 CET	445	50162	16.50.237.1	192.168.2.6
Jan 15, 2025 17:48:03.850658894 CET	50336	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.855593920 CET	445	50336	16.50.237.2	192.168.2.6
Jan 15, 2025 17:48:03.855669975 CET	50336	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.855706930 CET	50336	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.856071949 CET	50337	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.860657930 CET	445	50336	16.50.237.2	192.168.2.6
Jan 15, 2025 17:48:03.860719919 CET	50336	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.860874891 CET	445	50337	16.50.237.2	192.168.2.6
Jan 15, 2025 17:48:03.860935926 CET	50337	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.860971928 CET	50337	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:03.865712881 CET	445	50337	16.50.237.2	192.168.2.6
Jan 15, 2025 17:48:04.272916079 CET	50338	445	192.168.2.6	60.58.95.122
Jan 15, 2025 17:48:04.277708054 CET	445	50338	60.58.95.122	192.168.2.6
Jan 15, 2025 17:48:04.278109074 CET	50338	445	192.168.2.6	60.58.95.122
Jan 15, 2025 17:48:04.278134108 CET	50338	445	192.168.2.6	60.58.95.122
Jan 15, 2025 17:48:04.278235912 CET	50339	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.283044100 CET	445	50339	60.58.95.1	192.168.2.6
Jan 15, 2025 17:48:04.283241987 CET	445	50338	60.58.95.122	192.168.2.6
Jan 15, 2025 17:48:04.283360958 CET	50338	445	192.168.2.6	60.58.95.122
Jan 15, 2025 17:48:04.283418894 CET	50339	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.283418894 CET	50339	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.283680916 CET	50340	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.288418055 CET	445	50339	60.58.95.1	192.168.2.6
Jan 15, 2025 17:48:04.288450003 CET	445	50340	60.58.95.1	192.168.2.6
Jan 15, 2025 17:48:04.288506031 CET	50339	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.288542032 CET	50340	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.288587093 CET	50340	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:04.293346882 CET	445	50340	60.58.95.1	192.168.2.6
Jan 15, 2025 17:48:04.600490093 CET	50341	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:04.605559111 CET	445	50341	105.213.27.1	192.168.2.6
Jan 15, 2025 17:48:04.606076002 CET	50341	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:04.606121063 CET	50341	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:04.610954046 CET	445	50341	105.213.27.1	192.168.2.6
Jan 15, 2025 17:48:04.614634991 CET	445	50335	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:04.616111040 CET	50335	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:04.616111040 CET	50335	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:04.616173983 CET	50335	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:04.620950937 CET	445	50335	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:04.620960951 CET	445	50335	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:05.389981031 CET	50343	445	192.168.2.6	42.199.188.117
Jan 15, 2025 17:48:05.394859076 CET	445	50343	42.199.188.117	192.168.2.6
Jan 15, 2025 17:48:05.394937038 CET	50343	445	192.168.2.6	42.199.188.117
Jan 15, 2025 17:48:05.395021915 CET	50343	445	192.168.2.6	42.199.188.117
Jan 15, 2025 17:48:05.395183086 CET	50344	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.400482893 CET	445	50344	42.199.188.1	192.168.2.6
Jan 15, 2025 17:48:05.400552034 CET	50344	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.400598049 CET	50344	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.403420925 CET	445	50343	42.199.188.117	192.168.2.6
Jan 15, 2025 17:48:05.407437086 CET	445	50344	42.199.188.1	192.168.2.6
Jan 15, 2025 17:48:05.429672956 CET	445	50343	42.199.188.117	192.168.2.6
Jan 15, 2025 17:48:05.429686069 CET	445	50344	42.199.188.1	192.168.2.6
Jan 15, 2025 17:48:05.429778099 CET	50343	445	192.168.2.6	42.199.188.117
Jan 15, 2025 17:48:05.429800034 CET	50344	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.457395077 CET	50345	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.462186098 CET	445	50345	42.199.188.1	192.168.2.6
Jan 15, 2025 17:48:05.462246895 CET	50345	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.465909958 CET	50345	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:05.470699072 CET	445	50345	42.199.188.1	192.168.2.6
Jan 15, 2025 17:48:05.656141996 CET	445	50176	145.229.6.1	192.168.2.6
Jan 15, 2025 17:48:05.656289101 CET	50176	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:05.660666943 CET	50176	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:05.660711050 CET	50176	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:05.665641069 CET	445	50176	145.229.6.1	192.168.2.6
Jan 15, 2025 17:48:05.665683985 CET	445	50176	145.229.6.1	192.168.2.6
Jan 15, 2025 17:48:05.811902046 CET	445	50177	19.64.25.1	192.168.2.6
Jan 15, 2025 17:48:05.812077045 CET	50177	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:48:05.812186003 CET	50177	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:48:05.812186003 CET	50177	445	192.168.2.6	19.64.25.1
Jan 15, 2025 17:48:05.817171097 CET	445	50177	19.64.25.1	192.168.2.6
Jan 15, 2025 17:48:05.817187071 CET	445	50177	19.64.25.1	192.168.2.6
Jan 15, 2025 17:48:05.866250992 CET	50346	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.871258020 CET	445	50346	19.64.25.2	192.168.2.6
Jan 15, 2025 17:48:05.871345997 CET	50346	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.871390104 CET	50346	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.871723890 CET	50347	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.876595974 CET	445	50346	19.64.25.2	192.168.2.6
Jan 15, 2025 17:48:05.876621008 CET	445	50347	19.64.25.2	192.168.2.6
Jan 15, 2025 17:48:05.876672983 CET	50346	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.876707077 CET	50347	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.876732111 CET	50347	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:05.881581068 CET	445	50347	19.64.25.2	192.168.2.6
Jan 15, 2025 17:48:06.397802114 CET	50348	445	192.168.2.6	79.11.33.150
Jan 15, 2025 17:48:06.403249979 CET	445	50348	79.11.33.150	192.168.2.6
Jan 15, 2025 17:48:06.406080961 CET	50348	445	192.168.2.6	79.11.33.150
Jan 15, 2025 17:48:06.406111002 CET	50348	445	192.168.2.6	79.11.33.150
Jan 15, 2025 17:48:06.406223059 CET	50349	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.411084890 CET	445	50349	79.11.33.1	192.168.2.6
Jan 15, 2025 17:48:06.411478043 CET	445	50348	79.11.33.150	192.168.2.6
Jan 15, 2025 17:48:06.411607981 CET	50349	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.411726952 CET	50349	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.412175894 CET	50350	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.417088032 CET	445	50350	79.11.33.1	192.168.2.6
Jan 15, 2025 17:48:06.418066025 CET	50350	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.418118000 CET	50350	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.419687986 CET	445	50349	79.11.33.1	192.168.2.6
Jan 15, 2025 17:48:06.422976017 CET	445	50350	79.11.33.1	192.168.2.6
Jan 15, 2025 17:48:06.440300941 CET	445	50348	79.11.33.150	192.168.2.6
Jan 15, 2025 17:48:06.440335035 CET	445	50349	79.11.33.1	192.168.2.6
Jan 15, 2025 17:48:06.440433025 CET	50348	445	192.168.2.6	79.11.33.150
Jan 15, 2025 17:48:06.442018032 CET	50349	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:06.631781101 CET	50351	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:06.636837959 CET	445	50351	152.164.46.1	192.168.2.6
Jan 15, 2025 17:48:06.638087034 CET	50351	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:06.638114929 CET	50351	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:06.642986059 CET	445	50351	152.164.46.1	192.168.2.6
Jan 15, 2025 17:48:07.335386992 CET	50352	445	192.168.2.6	47.217.208.213
Jan 15, 2025 17:48:07.341026068 CET	445	50352	47.217.208.213	192.168.2.6
Jan 15, 2025 17:48:07.342094898 CET	50352	445	192.168.2.6	47.217.208.213
Jan 15, 2025 17:48:07.342122078 CET	50352	445	192.168.2.6	47.217.208.213
Jan 15, 2025 17:48:07.342361927 CET	50353	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.347198009 CET	445	50353	47.217.208.1	192.168.2.6
Jan 15, 2025 17:48:07.347364902 CET	445	50352	47.217.208.213	192.168.2.6
Jan 15, 2025 17:48:07.347464085 CET	50352	445	192.168.2.6	47.217.208.213
Jan 15, 2025 17:48:07.347481966 CET	50353	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.347578049 CET	50353	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.347953081 CET	50354	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.352410078 CET	445	50353	47.217.208.1	192.168.2.6
Jan 15, 2025 17:48:07.352857113 CET	445	50354	47.217.208.1	192.168.2.6
Jan 15, 2025 17:48:07.352912903 CET	50353	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.352941990 CET	50354	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.352988005 CET	50354	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:07.357975006 CET	445	50354	47.217.208.1	192.168.2.6
Jan 15, 2025 17:48:07.631789923 CET	50355	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:07.637173891 CET	445	50355	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:07.640489101 CET	50355	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:07.640538931 CET	50355	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:07.645293951 CET	445	50355	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:07.656172991 CET	445	50192	191.230.113.1	192.168.2.6
Jan 15, 2025 17:48:07.660044909 CET	50192	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:07.660078049 CET	50192	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:07.660125017 CET	50192	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:07.664958954 CET	445	50192	191.230.113.1	192.168.2.6
Jan 15, 2025 17:48:07.664969921 CET	445	50192	191.230.113.1	192.168.2.6
Jan 15, 2025 17:48:07.876935005 CET	445	50196	23.60.133.1	192.168.2.6
Jan 15, 2025 17:48:07.877144098 CET	50196	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:48:07.877410889 CET	50196	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:48:07.877465963 CET	50196	445	192.168.2.6	23.60.133.1
Jan 15, 2025 17:48:07.882241964 CET	445	50196	23.60.133.1	192.168.2.6
Jan 15, 2025 17:48:07.882257938 CET	445	50196	23.60.133.1	192.168.2.6
Jan 15, 2025 17:48:07.936777115 CET	50356	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.941792965 CET	445	50356	23.60.133.2	192.168.2.6
Jan 15, 2025 17:48:07.941914082 CET	50356	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.941943884 CET	50356	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.942253113 CET	50357	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.946969032 CET	445	50356	23.60.133.2	192.168.2.6
Jan 15, 2025 17:48:07.947056055 CET	445	50357	23.60.133.2	192.168.2.6
Jan 15, 2025 17:48:07.947164059 CET	50356	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.947257996 CET	50357	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.947280884 CET	50357	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:07.952095985 CET	445	50357	23.60.133.2	192.168.2.6
Jan 15, 2025 17:48:08.210468054 CET	50358	445	192.168.2.6	154.92.211.86
Jan 15, 2025 17:48:08.215596914 CET	445	50358	154.92.211.86	192.168.2.6
Jan 15, 2025 17:48:08.215742111 CET	50358	445	192.168.2.6	154.92.211.86
Jan 15, 2025 17:48:08.215790987 CET	50358	445	192.168.2.6	154.92.211.86
Jan 15, 2025 17:48:08.215939999 CET	50359	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.220828056 CET	445	50359	154.92.211.1	192.168.2.6
Jan 15, 2025 17:48:08.220861912 CET	445	50358	154.92.211.86	192.168.2.6
Jan 15, 2025 17:48:08.220901012 CET	50359	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.220930099 CET	50358	445	192.168.2.6	154.92.211.86
Jan 15, 2025 17:48:08.220968962 CET	50359	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.221333027 CET	50360	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.225883961 CET	445	50359	154.92.211.1	192.168.2.6
Jan 15, 2025 17:48:08.225943089 CET	50359	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.226138115 CET	445	50360	154.92.211.1	192.168.2.6
Jan 15, 2025 17:48:08.226202965 CET	50360	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.226239920 CET	50360	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:08.230987072 CET	445	50360	154.92.211.1	192.168.2.6
Jan 15, 2025 17:48:08.663053989 CET	50361	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:08.668184996 CET	445	50361	145.229.6.1	192.168.2.6
Jan 15, 2025 17:48:08.668267965 CET	50361	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:08.668308020 CET	50361	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:08.673122883 CET	445	50361	145.229.6.1	192.168.2.6
Jan 15, 2025 17:48:09.038558006 CET	50362	445	192.168.2.6	182.30.213.111
Jan 15, 2025 17:48:09.043530941 CET	445	50362	182.30.213.111	192.168.2.6
Jan 15, 2025 17:48:09.043657064 CET	50362	445	192.168.2.6	182.30.213.111
Jan 15, 2025 17:48:09.043765068 CET	50362	445	192.168.2.6	182.30.213.111
Jan 15, 2025 17:48:09.043986082 CET	50363	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.048840046 CET	445	50363	182.30.213.1	192.168.2.6
Jan 15, 2025 17:48:09.048986912 CET	50363	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.048986912 CET	50363	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.049010038 CET	445	50362	182.30.213.111	192.168.2.6
Jan 15, 2025 17:48:09.049141884 CET	50362	445	192.168.2.6	182.30.213.111
Jan 15, 2025 17:48:09.049252987 CET	50364	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.054044008 CET	445	50363	182.30.213.1	192.168.2.6
Jan 15, 2025 17:48:09.054058075 CET	445	50364	182.30.213.1	192.168.2.6
Jan 15, 2025 17:48:09.054125071 CET	50363	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.054168940 CET	50364	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.054208994 CET	50364	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:09.058938980 CET	445	50364	182.30.213.1	192.168.2.6
Jan 15, 2025 17:48:09.115550995 CET	445	50355	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:09.115639925 CET	50355	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:09.115679979 CET	50355	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:09.115703106 CET	50355	445	192.168.2.6	72.37.75.1
Jan 15, 2025 17:48:09.120488882 CET	445	50355	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:09.120501041 CET	445	50355	72.37.75.1	192.168.2.6
Jan 15, 2025 17:48:09.178889990 CET	50365	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.183872938 CET	445	50365	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:09.184011936 CET	50365	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.184114933 CET	50365	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.184509993 CET	50366	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.189224005 CET	445	50365	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:09.189312935 CET	50365	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.189318895 CET	445	50366	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:09.189397097 CET	50366	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.189428091 CET	50366	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:09.194181919 CET	445	50366	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:09.318013906 CET	445	50326	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:09.318268061 CET	50326	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:09.318268061 CET	50326	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:09.318268061 CET	50326	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:09.323251963 CET	445	50326	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:09.323265076 CET	445	50326	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:09.732167959 CET	445	50209	198.0.119.1	192.168.2.6
Jan 15, 2025 17:48:09.732336998 CET	50209	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:09.732419014 CET	50209	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:09.732477903 CET	50209	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:09.737303972 CET	445	50209	198.0.119.1	192.168.2.6
Jan 15, 2025 17:48:09.737314939 CET	445	50209	198.0.119.1	192.168.2.6
Jan 15, 2025 17:48:09.804675102 CET	50367	445	192.168.2.6	179.112.165.13
Jan 15, 2025 17:48:09.809510946 CET	445	50367	179.112.165.13	192.168.2.6
Jan 15, 2025 17:48:09.809601068 CET	50367	445	192.168.2.6	179.112.165.13
Jan 15, 2025 17:48:09.810966015 CET	50367	445	192.168.2.6	179.112.165.13
Jan 15, 2025 17:48:09.811142921 CET	50368	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.815761089 CET	445	50367	179.112.165.13	192.168.2.6
Jan 15, 2025 17:48:09.815821886 CET	50367	445	192.168.2.6	179.112.165.13
Jan 15, 2025 17:48:09.816005945 CET	445	50368	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:09.816062927 CET	50368	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.816093922 CET	50368	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.816560030 CET	50369	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.821048975 CET	445	50368	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:09.821096897 CET	50368	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.821332932 CET	445	50369	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:09.821394920 CET	50369	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.821430922 CET	50369	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:09.826167107 CET	445	50369	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:09.923827887 CET	445	50210	219.105.215.1	192.168.2.6
Jan 15, 2025 17:48:09.923916101 CET	50210	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:48:09.923978090 CET	50210	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:48:09.924031973 CET	50210	445	192.168.2.6	219.105.215.1
Jan 15, 2025 17:48:09.928736925 CET	445	50210	219.105.215.1	192.168.2.6
Jan 15, 2025 17:48:09.928756952 CET	445	50210	219.105.215.1	192.168.2.6
Jan 15, 2025 17:48:09.975692034 CET	50370	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.980633974 CET	445	50370	219.105.215.2	192.168.2.6
Jan 15, 2025 17:48:09.980715990 CET	50370	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.980756998 CET	50370	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.981053114 CET	50371	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.985650063 CET	445	50370	219.105.215.2	192.168.2.6
Jan 15, 2025 17:48:09.985719919 CET	50370	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.985958099 CET	445	50371	219.105.215.2	192.168.2.6
Jan 15, 2025 17:48:09.986072063 CET	50371	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.986133099 CET	50371	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:09.990955114 CET	445	50371	219.105.215.2	192.168.2.6
Jan 15, 2025 17:48:10.663191080 CET	50373	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:10.668143034 CET	445	50373	191.230.113.1	192.168.2.6
Jan 15, 2025 17:48:10.668232918 CET	50373	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:10.668267965 CET	50373	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:10.673144102 CET	445	50373	191.230.113.1	192.168.2.6
Jan 15, 2025 17:48:10.738553047 CET	445	50366	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:10.738825083 CET	50366	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:10.738825083 CET	50366	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:10.738825083 CET	50366	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:10.743746996 CET	445	50366	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:10.743761063 CET	445	50366	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:11.922055960 CET	445	50228	146.131.129.1	192.168.2.6
Jan 15, 2025 17:48:11.922254086 CET	50228	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:48:11.922317982 CET	50228	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:48:11.922389984 CET	50228	445	192.168.2.6	146.131.129.1
Jan 15, 2025 17:48:11.927252054 CET	445	50228	146.131.129.1	192.168.2.6
Jan 15, 2025 17:48:11.927287102 CET	445	50228	146.131.129.1	192.168.2.6
Jan 15, 2025 17:48:11.975558996 CET	50377	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.981344938 CET	445	50377	146.131.129.2	192.168.2.6
Jan 15, 2025 17:48:11.981437922 CET	50377	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.981462002 CET	50377	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.981786013 CET	50378	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.987154007 CET	445	50378	146.131.129.2	192.168.2.6
Jan 15, 2025 17:48:11.987236023 CET	50378	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.987282038 CET	50378	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.987400055 CET	445	50377	146.131.129.2	192.168.2.6
Jan 15, 2025 17:48:11.987458944 CET	50377	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:11.992121935 CET	445	50378	146.131.129.2	192.168.2.6
Jan 15, 2025 17:48:12.319303989 CET	50379	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:12.324415922 CET	445	50379	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:12.324523926 CET	50379	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:12.324551105 CET	50379	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:12.329538107 CET	445	50379	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:12.713768959 CET	445	50369	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:12.713859081 CET	50369	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:12.713903904 CET	50369	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:12.713939905 CET	50369	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:12.718846083 CET	445	50369	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:12.718858957 CET	445	50369	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:12.741287947 CET	50382	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:12.746197939 CET	445	50382	198.0.119.1	192.168.2.6
Jan 15, 2025 17:48:12.746383905 CET	50382	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:12.746495962 CET	50382	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:12.751462936 CET	445	50382	198.0.119.1	192.168.2.6
Jan 15, 2025 17:48:13.720666885 CET	445	50242	103.73.95.1	192.168.2.6
Jan 15, 2025 17:48:13.720748901 CET	50242	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:13.720796108 CET	50242	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:13.720812082 CET	50242	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:13.725712061 CET	445	50242	103.73.95.1	192.168.2.6
Jan 15, 2025 17:48:13.725744009 CET	445	50242	103.73.95.1	192.168.2.6
Jan 15, 2025 17:48:13.741120100 CET	50389	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:13.746366024 CET	445	50389	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:13.746454000 CET	50389	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:13.746476889 CET	50389	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:13.751441956 CET	445	50389	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:13.906428099 CET	445	50245	20.66.242.1	192.168.2.6
Jan 15, 2025 17:48:13.906537056 CET	50245	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:48:13.906564951 CET	50245	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:48:13.906622887 CET	50245	445	192.168.2.6	20.66.242.1
Jan 15, 2025 17:48:13.911613941 CET	445	50245	20.66.242.1	192.168.2.6
Jan 15, 2025 17:48:13.911653996 CET	445	50245	20.66.242.1	192.168.2.6
Jan 15, 2025 17:48:13.960376024 CET	50391	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.965439081 CET	445	50391	20.66.242.2	192.168.2.6
Jan 15, 2025 17:48:13.965553999 CET	50391	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.965653896 CET	50391	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.966028929 CET	50393	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.970582008 CET	445	50391	20.66.242.2	192.168.2.6
Jan 15, 2025 17:48:13.970673084 CET	50391	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.970858097 CET	445	50393	20.66.242.2	192.168.2.6
Jan 15, 2025 17:48:13.970925093 CET	50393	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.970974922 CET	50393	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:13.975848913 CET	445	50393	20.66.242.2	192.168.2.6
Jan 15, 2025 17:48:15.255903959 CET	445	50389	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:15.256057024 CET	50389	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:15.256103039 CET	50389	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:15.256207943 CET	50389	445	192.168.2.6	72.37.75.2
Jan 15, 2025 17:48:15.260958910 CET	445	50389	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:15.260972977 CET	445	50389	72.37.75.2	192.168.2.6
Jan 15, 2025 17:48:15.319421053 CET	50406	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.324394941 CET	445	50406	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:15.324592113 CET	50406	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.324717045 CET	50406	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.325076103 CET	50407	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.329741001 CET	445	50406	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:15.329839945 CET	50406	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.329963923 CET	445	50407	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:15.330041885 CET	50407	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.330073118 CET	50407	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:15.334884882 CET	445	50407	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:15.582408905 CET	445	50259	143.125.156.1	192.168.2.6
Jan 15, 2025 17:48:15.582473040 CET	50259	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:15.582508087 CET	50259	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:15.582547903 CET	50259	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:15.587380886 CET	445	50259	143.125.156.1	192.168.2.6
Jan 15, 2025 17:48:15.587408066 CET	445	50259	143.125.156.1	192.168.2.6
Jan 15, 2025 17:48:15.725507021 CET	50412	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:15.730386972 CET	445	50412	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:15.732244968 CET	50412	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:15.732294083 CET	50412	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:15.737075090 CET	445	50412	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:15.921979904 CET	445	50261	123.192.157.1	192.168.2.6
Jan 15, 2025 17:48:15.924096107 CET	50261	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:48:15.924154997 CET	50261	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:48:15.924154997 CET	50261	445	192.168.2.6	123.192.157.1
Jan 15, 2025 17:48:15.929631948 CET	445	50261	123.192.157.1	192.168.2.6
Jan 15, 2025 17:48:15.929646015 CET	445	50261	123.192.157.1	192.168.2.6
Jan 15, 2025 17:48:15.975497007 CET	50416	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.980518103 CET	445	50416	123.192.157.2	192.168.2.6
Jan 15, 2025 17:48:15.982125044 CET	50416	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.982125044 CET	50416	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.982372046 CET	50417	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.987185001 CET	445	50417	123.192.157.2	192.168.2.6
Jan 15, 2025 17:48:15.987296104 CET	445	50416	123.192.157.2	192.168.2.6
Jan 15, 2025 17:48:15.987371922 CET	50416	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.987437963 CET	50417	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.987437963 CET	50417	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:15.992222071 CET	445	50417	123.192.157.2	192.168.2.6
Jan 15, 2025 17:48:16.789089918 CET	50427	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:16.794239998 CET	445	50427	103.73.95.1	192.168.2.6
Jan 15, 2025 17:48:16.794430017 CET	50427	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:16.802927971 CET	50427	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:16.807765007 CET	445	50427	103.73.95.1	192.168.2.6
Jan 15, 2025 17:48:16.812813044 CET	445	50407	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:16.812896967 CET	50407	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:16.817708969 CET	50407	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:16.817781925 CET	50407	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:16.822542906 CET	445	50407	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:16.822657108 CET	445	50407	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:17.329396963 CET	445	50276	146.245.78.1	192.168.2.6
Jan 15, 2025 17:48:17.329592943 CET	50276	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:17.329636097 CET	50276	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:17.329674959 CET	50276	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:17.334614038 CET	445	50276	146.245.78.1	192.168.2.6
Jan 15, 2025 17:48:17.334625006 CET	445	50276	146.245.78.1	192.168.2.6
Jan 15, 2025 17:48:17.739164114 CET	445	50412	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:17.739368916 CET	50412	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:17.739433050 CET	50412	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:17.739469051 CET	50412	445	192.168.2.6	179.112.165.1
Jan 15, 2025 17:48:17.744446039 CET	445	50412	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:17.744477034 CET	445	50412	179.112.165.1	192.168.2.6
Jan 15, 2025 17:48:17.803683996 CET	50446	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.808891058 CET	445	50446	179.112.165.2	192.168.2.6
Jan 15, 2025 17:48:17.809118032 CET	50446	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.809160948 CET	50446	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.809591055 CET	50447	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.814212084 CET	445	50446	179.112.165.2	192.168.2.6
Jan 15, 2025 17:48:17.814331055 CET	50446	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.814446926 CET	445	50447	179.112.165.2	192.168.2.6
Jan 15, 2025 17:48:17.814558983 CET	50447	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.814620018 CET	50447	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:17.819473982 CET	445	50447	179.112.165.2	192.168.2.6
Jan 15, 2025 17:48:17.922777891 CET	445	50281	40.1.60.1	192.168.2.6
Jan 15, 2025 17:48:17.924170971 CET	50281	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:48:17.924210072 CET	50281	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:48:17.924245119 CET	50281	445	192.168.2.6	40.1.60.1
Jan 15, 2025 17:48:17.929205894 CET	445	50281	40.1.60.1	192.168.2.6
Jan 15, 2025 17:48:17.929239988 CET	445	50281	40.1.60.1	192.168.2.6
Jan 15, 2025 17:48:17.975568056 CET	50451	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.980402946 CET	445	50451	40.1.60.2	192.168.2.6
Jan 15, 2025 17:48:17.981667995 CET	50451	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.981781960 CET	50451	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.982219934 CET	50452	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.986732960 CET	445	50451	40.1.60.2	192.168.2.6
Jan 15, 2025 17:48:17.986963034 CET	445	50452	40.1.60.2	192.168.2.6
Jan 15, 2025 17:48:17.987035036 CET	50451	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.987066984 CET	50452	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.987116098 CET	50452	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:17.991867065 CET	445	50452	40.1.60.2	192.168.2.6
Jan 15, 2025 17:48:18.140738964 CET	445	50284	95.128.26.2	192.168.2.6
Jan 15, 2025 17:48:18.140861034 CET	50284	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:18.140944958 CET	50284	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:18.140997887 CET	50284	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:18.145754099 CET	445	50284	95.128.26.2	192.168.2.6
Jan 15, 2025 17:48:18.145809889 CET	445	50284	95.128.26.2	192.168.2.6
Jan 15, 2025 17:48:18.585077047 CET	50468	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:18.590372086 CET	445	50468	143.125.156.1	192.168.2.6
Jan 15, 2025 17:48:18.590511084 CET	50468	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:18.590555906 CET	50468	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:18.596082926 CET	445	50468	143.125.156.1	192.168.2.6
Jan 15, 2025 17:48:18.988568068 CET	445	50292	76.104.214.1	192.168.2.6
Jan 15, 2025 17:48:18.988776922 CET	50292	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:48:18.988838911 CET	50292	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:48:18.988838911 CET	50292	445	192.168.2.6	76.104.214.1
Jan 15, 2025 17:48:18.993735075 CET	445	50292	76.104.214.1	192.168.2.6
Jan 15, 2025 17:48:18.993768930 CET	445	50292	76.104.214.1	192.168.2.6
Jan 15, 2025 17:48:19.692615032 CET	445	50379	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:19.692881107 CET	50379	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:19.692949057 CET	50379	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:19.692949057 CET	50379	445	192.168.2.6	202.206.173.1
Jan 15, 2025 17:48:19.697945118 CET	445	50379	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:19.697958946 CET	445	50379	202.206.173.1	192.168.2.6
Jan 15, 2025 17:48:19.758027077 CET	50503	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.762996912 CET	445	50503	202.206.173.2	192.168.2.6
Jan 15, 2025 17:48:19.763108015 CET	50503	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.763151884 CET	50503	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.763437033 CET	50504	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.768330097 CET	445	50503	202.206.173.2	192.168.2.6
Jan 15, 2025 17:48:19.768414021 CET	50503	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.768507004 CET	445	50504	202.206.173.2	192.168.2.6
Jan 15, 2025 17:48:19.768577099 CET	50504	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.768724918 CET	50504	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:19.773588896 CET	445	50504	202.206.173.2	192.168.2.6
Jan 15, 2025 17:48:19.819560051 CET	50507	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:19.824615955 CET	445	50507	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:19.824754000 CET	50507	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:19.824831963 CET	50507	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:19.829715014 CET	445	50507	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:19.990411043 CET	445	50300	14.222.195.1	192.168.2.6
Jan 15, 2025 17:48:19.990485907 CET	50300	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:48:19.990523100 CET	50300	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:48:19.990545988 CET	50300	445	192.168.2.6	14.222.195.1
Jan 15, 2025 17:48:19.995589018 CET	445	50300	14.222.195.1	192.168.2.6
Jan 15, 2025 17:48:19.995743990 CET	445	50300	14.222.195.1	192.168.2.6
Jan 15, 2025 17:48:20.053738117 CET	50517	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.058808088 CET	445	50517	14.222.195.2	192.168.2.6
Jan 15, 2025 17:48:20.058898926 CET	50517	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.058985949 CET	50517	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.059355974 CET	50518	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.064093113 CET	445	50517	14.222.195.2	192.168.2.6
Jan 15, 2025 17:48:20.064176083 CET	50517	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.064433098 CET	445	50518	14.222.195.2	192.168.2.6
Jan 15, 2025 17:48:20.064512014 CET	50518	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.064558029 CET	50518	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:20.069406986 CET	445	50518	14.222.195.2	192.168.2.6
Jan 15, 2025 17:48:20.335052013 CET	50532	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:20.340106010 CET	445	50532	146.245.78.1	192.168.2.6
Jan 15, 2025 17:48:20.340245962 CET	50532	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:20.340307951 CET	50532	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:20.345243931 CET	445	50532	146.245.78.1	192.168.2.6
Jan 15, 2025 17:48:20.547025919 CET	445	50305	24.191.188.1	192.168.2.6
Jan 15, 2025 17:48:20.547102928 CET	50305	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:48:20.547149897 CET	50305	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:48:20.547172070 CET	50305	445	192.168.2.6	24.191.188.1
Jan 15, 2025 17:48:20.552078009 CET	445	50305	24.191.188.1	192.168.2.6
Jan 15, 2025 17:48:20.552092075 CET	445	50305	24.191.188.1	192.168.2.6
Jan 15, 2025 17:48:21.147351980 CET	50592	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:21.152426958 CET	445	50592	95.128.26.2	192.168.2.6
Jan 15, 2025 17:48:21.152693033 CET	50592	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:21.152693033 CET	50592	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:21.157598019 CET	445	50592	95.128.26.2	192.168.2.6
Jan 15, 2025 17:48:21.301187038 CET	445	50507	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:21.301326036 CET	50507	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:21.301373959 CET	50507	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:21.301373959 CET	50507	445	192.168.2.6	72.37.75.3
Jan 15, 2025 17:48:21.306257010 CET	445	50507	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:21.306276083 CET	445	50507	72.37.75.3	192.168.2.6
Jan 15, 2025 17:48:21.366352081 CET	50620	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.371403933 CET	445	50620	72.37.75.4	192.168.2.6
Jan 15, 2025 17:48:21.371561050 CET	50620	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.371604919 CET	50620	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.371880054 CET	50622	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.376646996 CET	445	50622	72.37.75.4	192.168.2.6
Jan 15, 2025 17:48:21.376725912 CET	50622	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.376755953 CET	50622	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.376801014 CET	445	50620	72.37.75.4	192.168.2.6
Jan 15, 2025 17:48:21.376848936 CET	50620	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:21.381505013 CET	445	50622	72.37.75.4	192.168.2.6
Jan 15, 2025 17:48:21.672564983 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:21.672605991 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:21.672667027 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:21.673243046 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:21.673255920 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:21.969082117 CET	445	50317	195.128.239.1	192.168.2.6
Jan 15, 2025 17:48:21.969146967 CET	50317	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:21.984689951 CET	445	50318	206.65.90.1	192.168.2.6
Jan 15, 2025 17:48:21.984761953 CET	50318	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:48:22.517514944 CET	50337	445	192.168.2.6	16.50.237.2
Jan 15, 2025 17:48:22.517554045 CET	50393	445	192.168.2.6	20.66.242.2
Jan 15, 2025 17:48:22.517642021 CET	50371	445	192.168.2.6	219.105.215.2
Jan 15, 2025 17:48:22.517649889 CET	50347	445	192.168.2.6	19.64.25.2
Jan 15, 2025 17:48:22.517678976 CET	50357	445	192.168.2.6	23.60.133.2
Jan 15, 2025 17:48:22.517752886 CET	50317	445	192.168.2.6	195.128.239.1
Jan 15, 2025 17:48:22.517782927 CET	50318	445	192.168.2.6	206.65.90.1
Jan 15, 2025 17:48:22.517797947 CET	50330	445	192.168.2.6	35.145.151.1
Jan 15, 2025 17:48:22.517821074 CET	50340	445	192.168.2.6	60.58.95.1
Jan 15, 2025 17:48:22.517849922 CET	50341	445	192.168.2.6	105.213.27.1
Jan 15, 2025 17:48:22.517899990 CET	50345	445	192.168.2.6	42.199.188.1
Jan 15, 2025 17:48:22.517904997 CET	50350	445	192.168.2.6	79.11.33.1
Jan 15, 2025 17:48:22.517921925 CET	50351	445	192.168.2.6	152.164.46.1
Jan 15, 2025 17:48:22.517950058 CET	50354	445	192.168.2.6	47.217.208.1
Jan 15, 2025 17:48:22.517977953 CET	50360	445	192.168.2.6	154.92.211.1
Jan 15, 2025 17:48:22.518074989 CET	50361	445	192.168.2.6	145.229.6.1
Jan 15, 2025 17:48:22.518094063 CET	50364	445	192.168.2.6	182.30.213.1
Jan 15, 2025 17:48:22.518122911 CET	50382	445	192.168.2.6	198.0.119.1
Jan 15, 2025 17:48:22.518150091 CET	50373	445	192.168.2.6	191.230.113.1
Jan 15, 2025 17:48:22.518191099 CET	50378	445	192.168.2.6	146.131.129.2
Jan 15, 2025 17:48:22.518317938 CET	50427	445	192.168.2.6	103.73.95.1
Jan 15, 2025 17:48:22.518338919 CET	50417	445	192.168.2.6	123.192.157.2
Jan 15, 2025 17:48:22.518371105 CET	50452	445	192.168.2.6	40.1.60.2
Jan 15, 2025 17:48:22.518400908 CET	50447	445	192.168.2.6	179.112.165.2
Jan 15, 2025 17:48:22.518435001 CET	50468	445	192.168.2.6	143.125.156.1
Jan 15, 2025 17:48:22.518486023 CET	50532	445	192.168.2.6	146.245.78.1
Jan 15, 2025 17:48:22.518559933 CET	50504	445	192.168.2.6	202.206.173.2
Jan 15, 2025 17:48:22.518606901 CET	50518	445	192.168.2.6	14.222.195.2
Jan 15, 2025 17:48:22.519099951 CET	50592	445	192.168.2.6	95.128.26.2
Jan 15, 2025 17:48:22.519372940 CET	50622	445	192.168.2.6	72.37.75.4
Jan 15, 2025 17:48:22.704164982 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.704294920 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.706227064 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.706244946 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.706480980 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.708326101 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.708405018 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.708410025 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.708548069 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.751332045 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.880968094 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.881050110 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:22.881167889 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.881366014 CET	50640	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:22.881382942 CET	443	50640	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:47.272759914 CET	49703	443	192.168.2.6	40.126.32.68
Jan 15, 2025 17:48:47.272762060 CET	49706	80	192.168.2.6	2.23.77.188
Jan 15, 2025 17:48:47.277838945 CET	443	49703	40.126.32.68	192.168.2.6
Jan 15, 2025 17:48:47.277921915 CET	49703	443	192.168.2.6	40.126.32.68
Jan 15, 2025 17:48:47.278393030 CET	80	49706	2.23.77.188	192.168.2.6
Jan 15, 2025 17:48:47.278450966 CET	49706	80	192.168.2.6	2.23.77.188
Jan 15, 2025 17:48:49.787925005 CET	49707	443	192.168.2.6	40.126.32.68
Jan 15, 2025 17:48:49.792989016 CET	443	49707	40.126.32.68	192.168.2.6
Jan 15, 2025 17:48:49.793056011 CET	49707	443	192.168.2.6	40.126.32.68
Jan 15, 2025 17:48:53.320312023 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:53.320420980 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:53.320513964 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:53.321134090 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:53.321163893 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.140495062 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.140610933 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.144629955 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.144659042 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.144891977 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.146739960 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.146809101 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.146821022 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.146938086 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.187335968 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.321105003 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.321167946 CET	443	50642	40.115.3.253	192.168.2.6
Jan 15, 2025 17:48:54.321254015 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.321482897 CET	50642	443	192.168.2.6	40.115.3.253
Jan 15, 2025 17:48:54.321518898 CET	443	50642	40.115.3.253	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:47:15.024089098 CET	53999	53	192.168.2.6	1.1.1.1
Jan 15, 2025 17:47:15.325926065 CET	53	53999	1.1.1.1	192.168.2.6
Jan 15, 2025 17:47:15.996242046 CET	63665	53	192.168.2.6	1.1.1.1
Jan 15, 2025 17:47:16.331825972 CET	53	63665	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 17:47:15.024089098 CET	192.168.2.6	1.1.1.1	0x1bc7	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:47:15.996242046 CET	192.168.2.6	1.1.1.1	0x41c6	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 17:47:15.325926065 CET	1.1.1.1	192.168.2.6	0x1bc7	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:47:16.331825972 CET	1.1.1.1	192.168.2.6	0x41c6	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 17:47:16.331825972 CET	1.1.1.1	192.168.2.6	0x41c6	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	103.224.212.215	80	5772	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:15.337708950 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:47:15.943342924 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:47:15 GMT server: Apache set-cookie: __tad=1736959635.6911048; expires=Sat, 13-Jan-2035 16:47:15 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b827f content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	199.59.243.228	80	5772	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:16.337951899 CET	169	OUT	GET /?subid1=20250116-0347-1541-9f57-da56839b827f HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:47:16.806006908 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:47:15 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: ebac6318-2a75-4752-ba46-19550119d49c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_td0b0H59UvtNQd+m2a96W9DruNQNfwYskOTFienPN9gZAzbrDa8cL+fd5P7kevif3pgwM6fZI5dbx46lCGgXyQ== set-cookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c; expires=Wed, 15 Jan 2025 17:02:16 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 64 30 62 30 48 35 39 55 76 74 4e 51 64 2b 6d 32 61 39 36 57 39 44 72 75 4e 51 4e 66 77 59 73 6b 4f 54 46 69 65 6e 50 4e 39 67 5a 41 7a 62 72 44 61 38 63 4c 2b 66 64 35 50 37 6b 65 76 69 66 33 70 67 77 4d 36 66 5a 49 35 64 62 78 34 36 6c 43 47 67 58 79 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_td0b0H59UvtNQd+m2a96W9DruNQNfwYskOTFienPN9gZAzbrDa8cL+fd5P7kevif3pgwM6fZI5dbx46lCGgXyQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:47:16.806030035 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZWJhYzYzMTgtMmE3NS00NzUyLWJhNDYtMTk1NTAxMTlkNDljIiwicGFnZV90aW1lIjoxNzM2OTU5NjM2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49712	103.224.212.215	80	3196	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:16.945595980 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:47:17.538379908 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:47:17 GMT server: Apache set-cookie: __tad=1736959637.2702927; expires=Sat, 13-Jan-2035 16:47:17 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49713	103.224.212.215	80	5916	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:17.380068064 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736959635.6911048
Jan 15, 2025 17:47:17.990780115 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:47:17 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c58 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49714	199.59.243.228	80	3196	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:17.550451040 CET	169	OUT	GET /?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:47:18.025686026 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:47:17 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: c4e03165-c9b3-461f-b141-92b13ec9da6a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_x/joTDiJU1RWsEnnA9pWKTaA3Nuf6GB8NMHNTj4yoJcv434H89fCWR+1ISiES4Of2GCaNKskZ2eoU9E95QXczQ== set-cookie: parking_session=c4e03165-c9b3-461f-b141-92b13ec9da6a; expires=Wed, 15 Jan 2025 17:02:17 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 78 2f 6a 6f 54 44 69 4a 55 31 52 57 73 45 6e 6e 41 39 70 57 4b 54 61 41 33 4e 75 66 36 47 42 38 4e 4d 48 4e 54 6a 34 79 6f 4a 63 76 34 33 34 48 38 39 66 43 57 52 2b 31 49 53 69 45 53 34 4f 66 32 47 43 61 4e 4b 73 6b 5a 32 65 6f 55 39 45 39 35 51 58 63 7a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_x/joTDiJU1RWsEnnA9pWKTaA3Nuf6GB8NMHNTj4yoJcv434H89fCWR+1ISiES4Of2GCaNKskZ2eoU9E95QXczQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:47:18.025705099 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzRlMDMxNjUtYzliMy00NjFmLWIxNDEtOTJiMTNlYzlkYTZhIiwicGFnZV90aW1lIjoxNzM2OTU5NjM3LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49715	199.59.243.228	80	5916	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:18.000174046 CET	231	OUT	GET /?subid1=20250116-0347-17ae-b188-3b0abf488c58 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c
Jan 15, 2025 17:47:18.495793104 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:47:17 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 6cd797e7-6913-4439-bdae-17b826e4c36c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bVf0DmDWfxOC6+mMIzBEThtrxmmDKW7Ot1g3iY2O/qPwjWiLHiNVJiPdMNJcj3JX4TwNf9+cZtz3n3vgk5x3pA== set-cookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c; expires=Wed, 15 Jan 2025 17:02:18 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 56 66 30 44 6d 44 57 66 78 4f 43 36 2b 6d 4d 49 7a 42 45 54 68 74 72 78 6d 6d 44 4b 57 37 4f 74 31 67 33 69 59 32 4f 2f 71 50 77 6a 57 69 4c 48 69 4e 56 4a 69 50 64 4d 4e 4a 63 6a 33 4a 58 34 54 77 4e 66 39 2b 63 5a 74 7a 33 6e 33 76 67 6b 35 78 33 70 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bVf0DmDWfxOC6+mMIzBEThtrxmmDKW7Ot1g3iY2O/qPwjWiLHiNVJiPdMNJcj3JX4TwNf9+cZtz3n3vgk5x3pA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 17:47:18.495830059 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZWJhYzYzMTgtMmE3NS00NzUyLWJhNDYtMTk1NTAxMTlkNDljIiwicGFnZV90aW1lIjoxNzM2OTU5NjM4LCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:14 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 37 56 39 53 73 37 65 4a 43 30 79 37 5a 55 30 58 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 65 39 65 30 35 66 63 64 66 35 30 36 38 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: 7V9Ss7eJC0y7ZU0X.1Context: 7e9e05fcdf50683
2025-01-15 16:47:14 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:14 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 37 56 39 53 73 37 65 4a 43 30 79 37 5a 55 30 58 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 65 39 65 30 35 66 63 64 66 35 30 36 38 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 6a 6b 4c 74 76 5a 38 41 57 79 77 55 73 48 66 76 62 45 73 78 7a 6b 54 49 31 65 7a 45 4f 34 48 51 59 61 4a 46 79 7a 77 44 4f 6c 55 55 4f 5a 77 66 42 75 74 71 39 47 48 31 34 7a 6f 32 66 31 65 73 6e 4a 45 70 4c 59 4e 48 33 51 70 49 67 67 36 31 43 37 50 43 6a 50 6d 39 42 76 46 71 76 6e 6d 37 44 30 51 4e 33 6f 37 54 33 48 36 6f 47 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: 7V9Ss7eJC0y7ZU0X.2Context: 7e9e05fcdf50683<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAejkLtvZ8AWywUsHfvbEsxzkTI1ezEO4HQYaJFyzwDOlUUOZwfButq9GH14zo2f1esnJEpLYNH3QpIgg61C7PCjPm9BvFqvnm7D0QN3o7T3H6oG
2025-01-15 16:47:14 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 37 56 39 53 73 37 65 4a 43 30 79 37 5a 55 30 58 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 65 39 65 30 35 66 63 64 66 35 30 36 38 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: 7V9Ss7eJC0y7ZU0X.3Context: 7e9e05fcdf50683<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:15 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:15 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 71 56 74 46 2f 79 2f 49 73 6b 53 77 52 6e 6b 72 69 76 6c 66 4a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: qVtF/y/IskSwRnkrivlfJg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49782	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:22 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 6b 43 72 68 4d 49 39 6d 49 55 65 39 45 39 36 49 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 30 38 63 64 32 61 63 61 35 36 30 31 62 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: kCrhMI9mIUe9E96I.1Context: c08cd2aca5601bc
2025-01-15 16:47:22 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:22 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 6b 43 72 68 4d 49 39 6d 49 55 65 39 45 39 36 49 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 30 38 63 64 32 61 63 61 35 36 30 31 62 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 6a 6b 4c 74 76 5a 38 41 57 79 77 55 73 48 66 76 62 45 73 78 7a 6b 54 49 31 65 7a 45 4f 34 48 51 59 61 4a 46 79 7a 77 44 4f 6c 55 55 4f 5a 77 66 42 75 74 71 39 47 48 31 34 7a 6f 32 66 31 65 73 6e 4a 45 70 4c 59 4e 48 33 51 70 49 67 67 36 31 43 37 50 43 6a 50 6d 39 42 76 46 71 76 6e 6d 37 44 30 51 4e 33 6f 37 54 33 48 36 6f 47 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: kCrhMI9mIUe9E96I.2Context: c08cd2aca5601bc<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAejkLtvZ8AWywUsHfvbEsxzkTI1ezEO4HQYaJFyzwDOlUUOZwfButq9GH14zo2f1esnJEpLYNH3QpIgg61C7PCjPm9BvFqvnm7D0QN3o7T3H6oG
2025-01-15 16:47:22 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 6b 43 72 68 4d 49 39 6d 49 55 65 39 45 39 36 49 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 30 38 63 64 32 61 63 61 35 36 30 31 62 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: kCrhMI9mIUe9E96I.3Context: c08cd2aca5601bc<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:23 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:23 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 62 59 5a 42 6c 32 53 35 42 45 75 30 62 43 46 74 6f 39 43 46 63 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: bYZBl2S5BEu0bCFto9CFcw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	50020	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:35 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6a 64 2f 67 37 4a 35 33 2f 6b 57 74 63 58 65 38 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 38 30 34 61 30 63 63 32 38 34 32 65 31 34 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: jd/g7J53/kWtcXe8.1Context: d804a0cc2842e142
2025-01-15 16:47:35 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:35 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6a 64 2f 67 37 4a 35 33 2f 6b 57 74 63 58 65 38 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 38 30 34 61 30 63 63 32 38 34 32 65 31 34 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 6a 6b 4c 74 76 5a 38 41 57 79 77 55 73 48 66 76 62 45 73 78 7a 6b 54 49 31 65 7a 45 4f 34 48 51 59 61 4a 46 79 7a 77 44 4f 6c 55 55 4f 5a 77 66 42 75 74 71 39 47 48 31 34 7a 6f 32 66 31 65 73 6e 4a 45 70 4c 59 4e 48 33 51 70 49 67 67 36 31 43 37 50 43 6a 50 6d 39 42 76 46 71 76 6e 6d 37 44 30 51 4e 33 6f 37 54 33 48 36 6f Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: jd/g7J53/kWtcXe8.2Context: d804a0cc2842e142<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAejkLtvZ8AWywUsHfvbEsxzkTI1ezEO4HQYaJFyzwDOlUUOZwfButq9GH14zo2f1esnJEpLYNH3QpIgg61C7PCjPm9BvFqvnm7D0QN3o7T3H6o
2025-01-15 16:47:35 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6a 64 2f 67 37 4a 35 33 2f 6b 57 74 63 58 65 38 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 38 30 34 61 30 63 63 32 38 34 32 65 31 34 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: jd/g7J53/kWtcXe8.3Context: d804a0cc2842e142<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:35 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:35 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6b 70 48 30 76 34 4f 32 62 30 69 54 64 55 72 46 7a 74 47 35 46 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: kpH0v4O2b0iTdUrFztG5Fw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50263	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:55 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 35 78 4f 4f 65 37 42 4b 54 30 4f 36 33 62 78 32 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 34 64 39 64 62 64 34 65 61 37 64 63 34 63 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 5xOOe7BKT0O63bx2.1Context: 64d9dbd4ea7dc4c3
2025-01-15 16:47:55 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:55 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 35 78 4f 4f 65 37 42 4b 54 30 4f 36 33 62 78 32 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 34 64 39 64 62 64 34 65 61 37 64 63 34 63 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 6a 6b 4c 74 76 5a 38 41 57 79 77 55 73 48 66 76 62 45 73 78 7a 6b 54 49 31 65 7a 45 4f 34 48 51 59 61 4a 46 79 7a 77 44 4f 6c 55 55 4f 5a 77 66 42 75 74 71 39 47 48 31 34 7a 6f 32 66 31 65 73 6e 4a 45 70 4c 59 4e 48 33 51 70 49 67 67 36 31 43 37 50 43 6a 50 6d 39 42 76 46 71 76 6e 6d 37 44 30 51 4e 33 6f 37 54 33 48 36 6f Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 5xOOe7BKT0O63bx2.2Context: 64d9dbd4ea7dc4c3<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAejkLtvZ8AWywUsHfvbEsxzkTI1ezEO4HQYaJFyzwDOlUUOZwfButq9GH14zo2f1esnJEpLYNH3QpIgg61C7PCjPm9BvFqvnm7D0QN3o7T3H6o
2025-01-15 16:47:55 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 35 78 4f 4f 65 37 42 4b 54 30 4f 36 33 62 78 32 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 34 64 39 64 62 64 34 65 61 37 64 63 34 63 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 5xOOe7BKT0O63bx2.3Context: 64d9dbd4ea7dc4c3<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:55 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:55 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6a 62 38 46 77 63 54 37 56 45 32 30 7a 6e 56 57 73 79 4e 7a 44 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: jb8FwcT7VE20znVWsyNzDg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50640	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:48:22 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 42 43 4b 56 64 75 65 70 65 45 36 77 44 56 69 44 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 63 32 39 63 34 39 37 64 31 38 64 39 62 31 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: BCKVduepeE6wDViD.1Context: ec29c497d18d9b13
2025-01-15 16:48:22 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:48:22 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 42 43 4b 56 64 75 65 70 65 45 36 77 44 56 69 44 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 63 32 39 63 34 39 37 64 31 38 64 39 62 31 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 6a 6b 4c 74 76 5a 38 41 57 79 77 55 73 48 66 76 62 45 73 78 7a 6b 54 49 31 65 7a 45 4f 34 48 51 59 61 4a 46 79 7a 77 44 4f 6c 55 55 4f 5a 77 66 42 75 74 71 39 47 48 31 34 7a 6f 32 66 31 65 73 6e 4a 45 70 4c 59 4e 48 33 51 70 49 67 67 36 31 43 37 50 43 6a 50 6d 39 42 76 46 71 76 6e 6d 37 44 30 51 4e 33 6f 37 54 33 48 36 6f Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: BCKVduepeE6wDViD.2Context: ec29c497d18d9b13<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAejkLtvZ8AWywUsHfvbEsxzkTI1ezEO4HQYaJFyzwDOlUUOZwfButq9GH14zo2f1esnJEpLYNH3QpIgg61C7PCjPm9BvFqvnm7D0QN3o7T3H6o
2025-01-15 16:48:22 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 42 43 4b 56 64 75 65 70 65 45 36 77 44 56 69 44 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 63 32 39 63 34 39 37 64 31 38 64 39 62 31 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: BCKVduepeE6wDViD.3Context: ec29c497d18d9b13<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:48:22 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:48:22 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 62 67 30 54 44 2b 42 38 43 30 69 38 4d 62 47 4f 6d 74 32 44 47 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: bg0TD+B8C0i8MbGOmt2DGg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50642	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:48:54 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 53 61 53 6a 31 51 58 32 76 55 2b 65 7a 79 30 53 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 34 65 35 65 35 65 30 64 64 32 37 65 30 38 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: SaSj1QX2vU+ezy0S.1Context: 14e5e5e0dd27e083
2025-01-15 16:48:54 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:48:54 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 53 61 53 6a 31 51 58 32 76 55 2b 65 7a 79 30 53 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 34 65 35 65 35 65 30 64 64 32 37 65 30 38 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 6a 6b 4c 74 76 5a 38 41 57 79 77 55 73 48 66 76 62 45 73 78 7a 6b 54 49 31 65 7a 45 4f 34 48 51 59 61 4a 46 79 7a 77 44 4f 6c 55 55 4f 5a 77 66 42 75 74 71 39 47 48 31 34 7a 6f 32 66 31 65 73 6e 4a 45 70 4c 59 4e 48 33 51 70 49 67 67 36 31 43 37 50 43 6a 50 6d 39 42 76 46 71 76 6e 6d 37 44 30 51 4e 33 6f 37 54 33 48 36 6f Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: SaSj1QX2vU+ezy0S.2Context: 14e5e5e0dd27e083<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAejkLtvZ8AWywUsHfvbEsxzkTI1ezEO4HQYaJFyzwDOlUUOZwfButq9GH14zo2f1esnJEpLYNH3QpIgg61C7PCjPm9BvFqvnm7D0QN3o7T3H6o
2025-01-15 16:48:54 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 53 61 53 6a 31 51 58 32 76 55 2b 65 7a 79 30 53 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 34 65 35 65 35 65 30 64 64 32 37 65 30 38 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: SaSj1QX2vU+ezy0S.3Context: 14e5e5e0dd27e083<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:48:54 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:48:54 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 35 51 72 39 2f 66 35 31 55 30 2b 38 5a 61 43 68 68 36 2b 77 47 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 5Qr9/f51U0+8ZaChh6+wGg.0Payload parsing failed.

Target ID:	0
Start time:	11:47:12
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll"
Imagebase:	0x4c0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:47:12
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:47:13
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:47:13
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame
Imagebase:	0x710000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:47:13
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1
Imagebase:	0x710000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:47:13
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	835246CD3690184218773906A49D8328
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2160946796.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:47:15
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	835246CD3690184218773906A49D8328
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2185223099.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:47:16
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",PlayGame
Imagebase:	0x710000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:47:16
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	835246CD3690184218773906A49D8328
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2189366681.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2205428809.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
D, xrefs: 00407ED3
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000006.00000002.2197687096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2197671383.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197704069.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197758965.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2197687096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2197671383.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197704069.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197758965.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2197687096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2197671383.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197704069.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197758965.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.2197687096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2197671383.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197704069.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197758965.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2197687096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2197671383.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197704069.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197758965.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 3196, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2832697050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2832681992.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832783597.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832857933.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832874500.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2832697050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2832681992.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832783597.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832857933.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832874500.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2832697050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2832681992.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832783597.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832857933.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832874500.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12

Memory Dump Source

Source File: 00000008.00000002.2832697050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2832681992.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832783597.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832857933.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832874500.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2832697050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2832681992.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832783597.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832800862.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832857933.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832874500.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f5mfkHLLVe.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
f5mfkHLLVe.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON