Edit tour

Windows Analysis Report
QQE81XYXon.dll

Overview

General Information

Sample name:	QQE81XYXon.dll renamed because original name is a hash value
Original sample name:	c4fca61333b642e21c2b1ba417c0100d.dll
Analysis ID:	1592107
MD5:	c4fca61333b642e21c2b1ba417c0100d
SHA1:	5505cce40eeedd3948daf098f1ce95aa5cd1bc42
SHA256:	85a6bca0ebd3e1c99d8fd6669a6db6ddd8463b7c7edaa87702ca2a425fc5cce5
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4900 cmdline: loaddll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4568 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2820 cmdline: rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1976 cmdline: rundll32.exe C:\Users\user\Desktop\QQE81XYXon.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 4800 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 6BFA175E3CBD626EF26394826EDB0FDF)

rundll32.exe (PID: 4836 cmdline: rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 3816 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 6BFA175E3CBD626EF26394826EDB0FDF)

mssecsvr.exe (PID: 3748 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 6BFA175E3CBD626EF26394826EDB0FDF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
QQE81XYXon.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
QQE81XYXon.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
QQE81XYXon.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2196270495.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2152520017.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2179028546.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2180935665.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 4800	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3748	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3816	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.22778c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4d084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
6.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d7f128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.1d7f128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22a996c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
10.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
8.2.mssecsvr.exe.22a996c.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5c104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5c104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5c104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d5c104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.2286948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2286948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2286948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2286948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
10.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d7f128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d7f128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.1d7f128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22a996c.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22a996c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
8.2.mssecsvr.exe.22a996c.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
6.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d4d084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d4d084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4d084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22778c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22778c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.22778c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2286948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2286948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2286948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d580a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d580a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d580a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.1d5c104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5c104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5c104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvr.exe.22828e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22828e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.22828e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:07:06.827382+0100	2803304	3	Unknown Traffic	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-15T19:07:08.395925+0100	2803304	3	Unknown Traffic	192.168.2.6	49712	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:07:05.916752+0100	2830018	1	A Network Trojan was detected	192.168.2.6	54126	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QQE81XYXon.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb4	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c3	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831fb	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c39e	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb439	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 84%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: QQE81XYXon.dll	ReversingLabs: Detection: 92%
Source: QQE81XYXon.dll	Virustotal: Detection: 91%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: QQE81XYXon.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: QQE81XYXon.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49952 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50635 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.6:54126 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0507-06c2-ab55-018cebe831fb HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736964426.6027517
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0507-08af-9581-038eeaa6c39e HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0507-0847-82be-09ad5d5cb439 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=667eccaa-c04f-4d79-96f2-58e7887f231d

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49712 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 103.224.212.215:80

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49952 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.241
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.241
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.241
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.241
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 49.114.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.157
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.157
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.157
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.157
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.87.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.178
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.178
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.178
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.178
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 75.228.122.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0507-06c2-ab55-018cebe831fb HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736964426.6027517
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0507-08af-9581-038eeaa6c39e HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0507-0847-82be-09ad5d5cb439 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=667eccaa-c04f-4d79-96f2-58e7887f231d

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831
Source: mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb4
Source: mssecsvr.exe, 00000008.00000002.2826859936.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2194899332.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c3
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p
Source: QQE81XYXon.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000008.00000003.2194899332.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&
Source: mssecsvr.exe, 00000008.00000003.2194899332.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8
Source: mssecsvr.exe, 00000008.00000003.2194899332.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/:
Source: mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/a
Source: mssecsvr.exe, 00000008.00000002.2826519484.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comV1

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 50635 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50404
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50635
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50635 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: QQE81XYXon.dll, type: SAMPLE
Source: Yara match	File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d7f128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22a996c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d4d084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22778c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d580a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5c104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2196270495.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2152520017.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2179028546.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2180935665.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 4800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3816, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: QQE81XYXon.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: QQE81XYXon.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22778c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4d084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7f128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7f128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7f128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7f128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d4d084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4d084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d580a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d580a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5c104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5c104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: tasksche.exe.6.dr

Static PE information: No import functions for PE file found

Source: QQE81XYXon.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: QQE81XYXon.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: QQE81XYXon.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22778c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4d084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7f128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7f128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d5c104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7f128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7f128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d4d084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4d084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d580a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d580a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5c104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5c104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: QQE81XYXon.dll, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03

Source: QQE81XYXon.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QQE81XYXon.dll,PlayGame

Source: QQE81XYXon.dll	ReversingLabs: Detection: 92%
Source: QQE81XYXon.dll	Virustotal: Detection: 91%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QQE81XYXon.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QQE81XYXon.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: QQE81XYXon.dll

Static file information: File size 5267459 > 1048576

Source: QQE81XYXon.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.606657494548842

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 5532	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5532	Thread sleep time: -184000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1132	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 1132	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5532	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000008.00000002.2826859936.00000000009F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@T
Source: mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2194899332.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: mssecsvr.exe, 00000006.00000002.2195490388.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QQE81XYXon.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
QQE81XYXon.dll	91%	Virustotal		Browse
QQE81XYXon.dll	100%	Avira	TR/AD.DPulsarShellcode.gohtr
QQE81XYXon.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	85%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	85%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb4	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comV1	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c3	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831fb	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c39e	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb439	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831fb	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c39e	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb439	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c3	mssecsvr.exe, 00000008.00000002.2826859936.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2194899332.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comV1	mssecsvr.exe, 00000006.00000002.2195490388.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb4	mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/)	mssecsvr.exe, 00000008.00000003.2194899332.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/&	mssecsvr.exe, 00000008.00000003.2194899332.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.2195490388.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831	mssecsvr.exe, 00000006.00000002.2195490388.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	QQE81XYXon.dll	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B	mssecsvr.exe, 0000000A.00000002.2196882708.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p	mssecsvr.exe, 00000006.00000002.2195490388.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/a	mssecsvr.exe, 00000006.00000002.2195490388.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/:	mssecsvr.exe, 00000008.00000003.2194899332.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2826859936.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2191139653.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2826519484.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8	mssecsvr.exe, 00000006.00000002.2195490388.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
15.8.58.250	unknown	United States	13979	ATT-IPFRUS	false
49.114.69.2	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
49.114.69.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
118.54.82.1	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
153.143.158.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
104.205.84.2	unknown	Canada	852	ASN852CA	false
7.138.150.1	unknown	United States	3356	LEVEL3US	false
54.192.5.1	unknown	United States	14618	AMAZON-AESUS	false
104.205.84.1	unknown	Canada	852	ASN852CA	false
153.143.158.197	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
117.41.142.1	unknown	China	4809	CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr	false
173.218.135.151	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
200.198.81.1	unknown	Brazil	15180	UOLDIVEOSABR	false
32.52.139.1	unknown	United States	7018	ATT-INTERNET4US	false
203.128.199.61	unknown	Korea Republic of	17608	ABN-AS-KRABNKR	false
149.241.237.229	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
186.162.98.1	unknown	Peru	21575	ENTELPERUSAPE	false
63.35.17.92	unknown	United States	16509	AMAZON-02US	false
186.162.98.9	unknown	Peru	21575	ENTELPERUSAPE	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592107
Start date and time:	2025-01-15 19:06:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QQE81XYXon.dll renamed because original name is a hash value
Original Sample Name:	c4fca61333b642e21c2b1ba417c0100d.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.23.77.188, 217.20.57.36, 217.20.57.35, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:07:06	API Interceptor	1x Sleep call for process: loaddll32.exe modified
13:07:41	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-IPFRUS	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	15.116.122.57
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	15.95.97.1
	res.ppc.elf	Get hash	malicious	Unknown	Browse	15.62.240.111
	armv5l.elf	Get hash	malicious	Unknown	Browse	15.6.247.41
	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	15.86.183.116
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	15.94.249.38
	armv4l.elf	Get hash	malicious	Unknown	Browse	15.62.68.27
	armv6l.elf	Get hash	malicious	Unknown	Browse	15.40.35.137
	armv7l.elf	Get hash	malicious	Unknown	Browse	15.8.11.165
	armv4l.elf	Get hash	malicious	Unknown	Browse	15.14.209.211
CHINANET-BACKBONENo31Jin-rongStreetCN	ImPgtzz6o4.dll	Get hash	malicious	Wannacry	Browse	218.64.246.1
	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	60.171.191.2
	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	106.230.138.178
	bot.x86.elf	Get hash	malicious	Unknown	Browse	220.183.55.11
	bot.spc.elf	Get hash	malicious	Unknown	Browse	14.155.77.28
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	120.37.0.150
	bot.mips.elf	Get hash	malicious	Unknown	Browse	114.135.188.251
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	113.120.26.134
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	202.98.153.102
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	210.185.215.218
CHINANET-BACKBONENo31Jin-rongStreetCN	ImPgtzz6o4.dll	Get hash	malicious	Wannacry	Browse	218.64.246.1
	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	60.171.191.2
	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	106.230.138.178
	bot.x86.elf	Get hash	malicious	Unknown	Browse	220.183.55.11
	bot.spc.elf	Get hash	malicious	Unknown	Browse	14.155.77.28
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	120.37.0.150
	bot.mips.elf	Get hash	malicious	Unknown	Browse	114.135.188.251
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	113.120.26.134
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	202.98.153.102
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	210.185.215.218

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	173.222.162.64
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#X	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	new-riii-1-b.pub.hta	Get hash	malicious	LummaC	Browse	40.115.3.253
	https://login.ecoleterradeasltd.xyz/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638725581254870614.NzQzNDkzODMtOTc3Ni00MTk4LWEyOTgtNzcxOTE2NjUxYzRiMGVmZDU5N2MtN2U3NC00YjUwLTkxMzUtNTE5MGUwYzg1ZmQ2&ui_locales=en-US&mkt=en-US&client-request-id=36d4a1f6-7cba-45d1-a3ed-df92000d1eff&state=HfQ7BQGkYjqSuhdp0uw1pmK7OnWuMWuL6CrtRUQFTAqayUvi4HK2WHpRg3qXyBpviEzEkkPrHxRuxUPhbVJ6VT_z1Q4rknsdO1I1G8I0vvmCJKY1Jj17UvvXfl7rwwbByhZiSjZv4e0zjm8vBEwSjLmzdF29N_NteyY8M7drEpkBEAgCB0EoFXswqlG9707goDIQqjTpA0BHvdohyO5aj-tJFO1J-Wz2owkKr6bkCNZlxKE53oI2XKYpyD1GEC2x5jHgmT1f4Yrr9BPkhEeMCw&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0	Get hash	malicious	Unknown	Browse	40.115.3.253
	random.exe	Get hash	malicious	LiteHTTP Bot	Browse	40.115.3.253
	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253
	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	40.115.3.253
	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.115.3.253

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.991401003557254
Encrypted:	true
SSDEEP:	49152:hqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:hqPoBhz1aRxcSUDk36SAEdhvm
MD5:	03F2EC5030D15A6C8AF50F8F43413938
SHA1:	E2446007234549AEA1435B44B44FA6E14FA90E15
SHA-256:	F61248DB0A47C5A3E87FA5F60BF70AFF0DFC751235D6E83B50D0DDB0575A4F77
SHA-512:	4A2C7E165903F035C61AE5433541FC70E8ADEBAF67B2356DB2C3A0C89D8A4C2CE0682A1F6AD60FAB49F4547E391DBDB6C9B133A881698BD20398DD19B2F3E01B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 85%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.991401003557254
Encrypted:	true
SSDEEP:	49152:hqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:hqPoBhz1aRxcSUDk36SAEdhvm
MD5:	03F2EC5030D15A6C8AF50F8F43413938
SHA1:	E2446007234549AEA1435B44B44FA6E14FA90E15
SHA-256:	F61248DB0A47C5A3E87FA5F60BF70AFF0DFC751235D6E83B50D0DDB0575A4F77
SHA-512:	4A2C7E165903F035C61AE5433541FC70E8ADEBAF67B2356DB2C3A0C89D8A4C2CE0682A1F6AD60FAB49F4547E391DBDB6C9B133A881698BD20398DD19B2F3E01B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 85%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.322609980325374
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QQE81XYXon.dll
File size:	5'267'459 bytes
MD5:	c4fca61333b642e21c2b1ba417c0100d
SHA1:	5505cce40eeedd3948daf098f1ce95aa5cd1bc42
SHA256:	85a6bca0ebd3e1c99d8fd6669a6db6ddd8463b7c7edaa87702ca2a425fc5cce5
SHA512:	ea4138d3ce34d72fbfe522237e22a70cf724a6028d311f54540b0a4f8a2e1dc21b0245c156f67777d9b7878009e09b80b41338d20e8ac5a0cb0e91927b98a023
SSDEEP:	49152:RnHqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1HqPoBhz1aRxcSUDk36SAEdhv
TLSH:	E3363399717C91FCD10519B444ABCA63B2B23C6E26FE6E0F9F4049761C43B5AFB90B42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FC0F4E4E22Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FC0F4E4E248h
cmp esi, 01h
je 00007FC0F4E4E227h
cmp esi, 02h
jne 00007FC0F4E4E244h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FC0F4E4E22Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FC0F4E4E22Eh
push edi
push esi
push ebx
call 00007FC0F4E4E13Ah
test eax, eax
jne 00007FC0F4E4E226h
xor eax, eax
jmp 00007FC0F4E4E270h
push edi
push esi
push ebx
call 00007FC0F4E4DFECh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FC0F4E4E22Eh
test eax, eax
jne 00007FC0F4E4E259h
push edi
push eax
push ebx
call 00007FC0F4E4E116h
test esi, esi
je 00007FC0F4E4E227h
cmp esi, 03h
jne 00007FC0F4E4E248h
push edi
push esi
push ebx
call 00007FC0F4E4E105h
test eax, eax
jne 00007FC0F4E4E225h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FC0F4E4E233h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FC0F4E4E22Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	bbaeaab34c74fc46c50e0563333e2dca	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8785324096679688

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T19:07:05.916752+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.6	54126	1.1.1.1	53	UDP
2025-01-15T19:07:06.827382+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-15T19:07:08.395925+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49712	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 19:06:58.684674978 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:06:58.684726000 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:06:58.997253895 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:05.302925110 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:05.302980900 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:05.303081036 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:05.303724051 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:05.303740978 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.103111029 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.103221893 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.108599901 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.108650923 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.109028101 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.111105919 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.111219883 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.111232996 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.111397028 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.155359983 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.227231979 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:06.232851028 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:06.232945919 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:06.233762980 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:06.238590956 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:06.282931089 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.283046961 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.283109903 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.312241077 CET	49709	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:06.312272072 CET	443	49709	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:06.827258110 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:06.827382088 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:06.827406883 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:06.827498913 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:06.851576090 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:06.856625080 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:07.184815884 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.189687967 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:07.190112114 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.190315008 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.195086002 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:07.663979053 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:07.664011002 CET	80	49711	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:07.664043903 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.664081097 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.670825958 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.670861959 CET	49711	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:07.800595999 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:07.805624008 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:07.805721998 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:07.805841923 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:07.810663939 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.066970110 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.072297096 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.072393894 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.072580099 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.077455044 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.294047117 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:08.294048071 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:08.395829916 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.395925045 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.395937920 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.395992994 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.399260998 CET	49712	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.400509119 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.404133081 CET	80	49712	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.405354977 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:08.405456066 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.405775070 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.410602093 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:08.606493950 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:08.710063934 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.710124016 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.710143089 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.710172892 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.713366032 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 19:07:08.715512991 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.718146086 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 19:07:08.720355034 CET	80	49716	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:08.720845938 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.720845938 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.725584984 CET	80	49716	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:08.871181965 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:08.871243954 CET	80	49714	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:08.871387005 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.877643108 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.877657890 CET	49714	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:08.968210936 CET	49717	445	192.168.2.6	49.114.69.241
Jan 15, 2025 19:07:08.973159075 CET	445	49717	49.114.69.241	192.168.2.6
Jan 15, 2025 19:07:08.974194050 CET	49717	445	192.168.2.6	49.114.69.241
Jan 15, 2025 19:07:08.983431101 CET	49717	445	192.168.2.6	49.114.69.241
Jan 15, 2025 19:07:08.983890057 CET	49718	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:08.988328934 CET	445	49717	49.114.69.241	192.168.2.6
Jan 15, 2025 19:07:08.988487005 CET	49717	445	192.168.2.6	49.114.69.241
Jan 15, 2025 19:07:08.988658905 CET	445	49718	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:08.988992929 CET	49718	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:08.989032030 CET	49718	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:08.994040012 CET	445	49718	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:08.994119883 CET	49718	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:09.213135958 CET	80	49716	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:09.213175058 CET	80	49716	199.59.243.228	192.168.2.6
Jan 15, 2025 19:07:09.213217974 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:09.213217974 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:09.281030893 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:09.281030893 CET	49716	80	192.168.2.6	199.59.243.228
Jan 15, 2025 19:07:09.306107998 CET	49719	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:09.310967922 CET	445	49719	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:09.311081886 CET	49719	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:09.311081886 CET	49719	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:09.315987110 CET	445	49719	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:10.282694101 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:10.282773972 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:10.920595884 CET	49749	445	192.168.2.6	158.87.244.157
Jan 15, 2025 19:07:11.118004084 CET	445	49749	158.87.244.157	192.168.2.6
Jan 15, 2025 19:07:11.118079901 CET	49749	445	192.168.2.6	158.87.244.157
Jan 15, 2025 19:07:11.118164062 CET	49749	445	192.168.2.6	158.87.244.157
Jan 15, 2025 19:07:11.118408918 CET	49753	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.125686884 CET	445	49753	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:11.125780106 CET	49753	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.125794888 CET	445	49749	158.87.244.157	192.168.2.6
Jan 15, 2025 19:07:11.125814915 CET	49753	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.125838041 CET	49749	445	192.168.2.6	158.87.244.157
Jan 15, 2025 19:07:11.126980066 CET	49754	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.130785942 CET	445	49753	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:11.130850077 CET	49753	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.131778002 CET	445	49754	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:11.131839991 CET	49754	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.131886005 CET	49754	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:11.136673927 CET	445	49754	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:12.936170101 CET	49785	445	192.168.2.6	75.228.122.178
Jan 15, 2025 19:07:12.941823959 CET	445	49785	75.228.122.178	192.168.2.6
Jan 15, 2025 19:07:12.941935062 CET	49785	445	192.168.2.6	75.228.122.178
Jan 15, 2025 19:07:12.942020893 CET	49785	445	192.168.2.6	75.228.122.178
Jan 15, 2025 19:07:12.942302942 CET	49786	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.947053909 CET	445	49785	75.228.122.178	192.168.2.6
Jan 15, 2025 19:07:12.947140932 CET	49785	445	192.168.2.6	75.228.122.178
Jan 15, 2025 19:07:12.947216988 CET	445	49786	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:12.947282076 CET	49786	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.947379112 CET	49786	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.948532104 CET	49787	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.952286959 CET	445	49786	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:12.952334881 CET	49786	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.953334093 CET	445	49787	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:12.953402996 CET	49787	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.953464985 CET	49787	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:12.959069967 CET	445	49787	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:13.193336964 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.193382978 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:13.193455935 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.193953037 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.193968058 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:13.975281954 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:13.975359917 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.978358030 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.978370905 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:13.978665113 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:13.980643988 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.980813026 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:13.980818987 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:13.980962992 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:14.027327061 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:14.155673027 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:14.155802965 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:14.155864954 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:14.155972004 CET	49795	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:14.156022072 CET	443	49795	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:14.951996088 CET	49822	445	192.168.2.6	173.218.135.151
Jan 15, 2025 19:07:14.957134008 CET	445	49822	173.218.135.151	192.168.2.6
Jan 15, 2025 19:07:14.957241058 CET	49822	445	192.168.2.6	173.218.135.151
Jan 15, 2025 19:07:14.957421064 CET	49822	445	192.168.2.6	173.218.135.151
Jan 15, 2025 19:07:14.957659960 CET	49823	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.962671995 CET	445	49822	173.218.135.151	192.168.2.6
Jan 15, 2025 19:07:14.962718010 CET	445	49823	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:14.962764978 CET	49822	445	192.168.2.6	173.218.135.151
Jan 15, 2025 19:07:14.962833881 CET	49823	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.962886095 CET	49823	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.964005947 CET	49824	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.968075991 CET	445	49823	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:14.968158007 CET	49823	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.969063997 CET	445	49824	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:14.969147921 CET	49824	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.969250917 CET	49824	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:14.974076986 CET	445	49824	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:16.967710018 CET	49861	445	192.168.2.6	203.128.199.61
Jan 15, 2025 19:07:16.972565889 CET	445	49861	203.128.199.61	192.168.2.6
Jan 15, 2025 19:07:16.972637892 CET	49861	445	192.168.2.6	203.128.199.61
Jan 15, 2025 19:07:16.972676039 CET	49861	445	192.168.2.6	203.128.199.61
Jan 15, 2025 19:07:16.972903013 CET	49862	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.977729082 CET	445	49861	203.128.199.61	192.168.2.6
Jan 15, 2025 19:07:16.977741957 CET	445	49862	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:16.977781057 CET	49861	445	192.168.2.6	203.128.199.61
Jan 15, 2025 19:07:16.977830887 CET	49862	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.977897882 CET	49862	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.979085922 CET	49863	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.982934952 CET	445	49862	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:16.982988119 CET	49862	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.983944893 CET	445	49863	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:16.984024048 CET	49863	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.984074116 CET	49863	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:16.988864899 CET	445	49863	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:18.983289003 CET	49896	445	192.168.2.6	138.181.159.31
Jan 15, 2025 19:07:18.988128901 CET	445	49896	138.181.159.31	192.168.2.6
Jan 15, 2025 19:07:18.988207102 CET	49896	445	192.168.2.6	138.181.159.31
Jan 15, 2025 19:07:18.988287926 CET	49896	445	192.168.2.6	138.181.159.31
Jan 15, 2025 19:07:18.988549948 CET	49897	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:18.993257999 CET	445	49896	138.181.159.31	192.168.2.6
Jan 15, 2025 19:07:18.993314028 CET	49896	445	192.168.2.6	138.181.159.31
Jan 15, 2025 19:07:18.993408918 CET	445	49897	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:18.993479013 CET	49897	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:18.993521929 CET	49897	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:18.994740963 CET	49898	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:18.998418093 CET	445	49897	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:18.998466015 CET	49897	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:18.999481916 CET	445	49898	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:18.999537945 CET	49898	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:18.999629021 CET	49898	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:19.004359007 CET	445	49898	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:20.998162031 CET	49936	445	192.168.2.6	74.134.76.56
Jan 15, 2025 19:07:21.003257036 CET	445	49936	74.134.76.56	192.168.2.6
Jan 15, 2025 19:07:21.003340006 CET	49936	445	192.168.2.6	74.134.76.56
Jan 15, 2025 19:07:21.003437042 CET	49936	445	192.168.2.6	74.134.76.56
Jan 15, 2025 19:07:21.003595114 CET	49937	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.008358002 CET	445	49936	74.134.76.56	192.168.2.6
Jan 15, 2025 19:07:21.008430004 CET	49936	445	192.168.2.6	74.134.76.56
Jan 15, 2025 19:07:21.008459091 CET	445	49937	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:21.008521080 CET	49937	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.008568048 CET	49937	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.012682915 CET	49938	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.013732910 CET	445	49937	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:21.013799906 CET	49937	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.017591000 CET	445	49938	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:21.017653942 CET	49938	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.017677069 CET	49938	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:21.022531033 CET	445	49938	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:21.755347013 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:21.755543947 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:21.759330034 CET	49952	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:21.759341955 CET	443	49952	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:21.760024071 CET	49952	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:21.760210991 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:21.760262012 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:21.760727882 CET	49952	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:21.760735989 CET	443	49952	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:22.374294043 CET	443	49952	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:22.375336885 CET	49952	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:23.013667107 CET	49975	445	192.168.2.6	15.8.58.250
Jan 15, 2025 19:07:23.018410921 CET	445	49975	15.8.58.250	192.168.2.6
Jan 15, 2025 19:07:23.018538952 CET	49975	445	192.168.2.6	15.8.58.250
Jan 15, 2025 19:07:23.018627882 CET	49975	445	192.168.2.6	15.8.58.250
Jan 15, 2025 19:07:23.018836021 CET	49976	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.023602009 CET	445	49976	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:23.023688078 CET	49976	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.023722887 CET	49976	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.023825884 CET	445	49975	15.8.58.250	192.168.2.6
Jan 15, 2025 19:07:23.023874998 CET	49975	445	192.168.2.6	15.8.58.250
Jan 15, 2025 19:07:23.024049044 CET	49977	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.028610945 CET	445	49976	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:23.028708935 CET	49976	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.028839111 CET	445	49977	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:23.029027939 CET	49977	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.029274940 CET	49977	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:23.033997059 CET	445	49977	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:25.028975010 CET	50010	445	192.168.2.6	100.85.225.7
Jan 15, 2025 19:07:25.034054041 CET	445	50010	100.85.225.7	192.168.2.6
Jan 15, 2025 19:07:25.034154892 CET	50010	445	192.168.2.6	100.85.225.7
Jan 15, 2025 19:07:25.034229994 CET	50010	445	192.168.2.6	100.85.225.7
Jan 15, 2025 19:07:25.034338951 CET	50011	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.039161921 CET	445	50011	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:25.039232016 CET	50011	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.039249897 CET	50011	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.039464951 CET	445	50010	100.85.225.7	192.168.2.6
Jan 15, 2025 19:07:25.039532900 CET	50010	445	192.168.2.6	100.85.225.7
Jan 15, 2025 19:07:25.039669037 CET	50012	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.044392109 CET	445	50011	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:25.044456005 CET	50011	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.044496059 CET	445	50012	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:25.044559956 CET	50012	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.044579029 CET	50012	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:25.049412966 CET	445	50012	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:25.207854033 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.207885027 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:25.207969904 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.208496094 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.208513021 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:25.986216068 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:25.986294985 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.989394903 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.989423037 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:25.989656925 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:25.991578102 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.991657972 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:25.991671085 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:25.991795063 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:26.039356947 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:26.180808067 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:26.181029081 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:26.181132078 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:26.181345940 CET	50018	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:26.181375980 CET	443	50018	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:27.044421911 CET	50048	445	192.168.2.6	104.205.84.157
Jan 15, 2025 19:07:27.049232960 CET	445	50048	104.205.84.157	192.168.2.6
Jan 15, 2025 19:07:27.049313068 CET	50048	445	192.168.2.6	104.205.84.157
Jan 15, 2025 19:07:27.049333096 CET	50048	445	192.168.2.6	104.205.84.157
Jan 15, 2025 19:07:27.049530983 CET	50049	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.054291010 CET	445	50048	104.205.84.157	192.168.2.6
Jan 15, 2025 19:07:27.054343939 CET	50048	445	192.168.2.6	104.205.84.157
Jan 15, 2025 19:07:27.054558039 CET	445	50049	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:27.054709911 CET	50049	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.054748058 CET	50049	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.054944038 CET	50050	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.059643984 CET	445	50049	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:27.059696913 CET	50049	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.059712887 CET	445	50050	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:27.059786081 CET	50050	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.059804916 CET	50050	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:27.064553976 CET	445	50050	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:28.702294111 CET	445	50050	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:28.702389956 CET	50050	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:28.702428102 CET	50050	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:28.702449083 CET	50050	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:28.707339048 CET	445	50050	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:28.707349062 CET	445	50050	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:29.060344934 CET	50084	445	192.168.2.6	32.52.139.74
Jan 15, 2025 19:07:29.065311909 CET	445	50084	32.52.139.74	192.168.2.6
Jan 15, 2025 19:07:29.065382004 CET	50084	445	192.168.2.6	32.52.139.74
Jan 15, 2025 19:07:29.065409899 CET	50084	445	192.168.2.6	32.52.139.74
Jan 15, 2025 19:07:29.065521002 CET	50085	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.070267916 CET	445	50085	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:29.070323944 CET	50085	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.070420980 CET	50085	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.070522070 CET	445	50084	32.52.139.74	192.168.2.6
Jan 15, 2025 19:07:29.070579052 CET	50084	445	192.168.2.6	32.52.139.74
Jan 15, 2025 19:07:29.070768118 CET	50086	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.075253010 CET	445	50085	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:29.075320959 CET	50085	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.075613976 CET	445	50086	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:29.075674057 CET	50086	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.075694084 CET	50086	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:29.080491066 CET	445	50086	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:30.684396029 CET	445	49719	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:30.684451103 CET	49719	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:30.684622049 CET	49719	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:30.684622049 CET	49719	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:30.689357996 CET	445	49719	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:30.689390898 CET	445	49719	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:31.076302052 CET	50124	445	192.168.2.6	7.138.150.221
Jan 15, 2025 19:07:31.081228971 CET	445	50124	7.138.150.221	192.168.2.6
Jan 15, 2025 19:07:31.081321955 CET	50124	445	192.168.2.6	7.138.150.221
Jan 15, 2025 19:07:31.081410885 CET	50124	445	192.168.2.6	7.138.150.221
Jan 15, 2025 19:07:31.081573963 CET	50125	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.086409092 CET	445	50125	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:31.086477995 CET	50125	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.086510897 CET	50125	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.086796045 CET	50126	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.086826086 CET	445	50124	7.138.150.221	192.168.2.6
Jan 15, 2025 19:07:31.086889029 CET	50124	445	192.168.2.6	7.138.150.221
Jan 15, 2025 19:07:31.091635942 CET	445	50126	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:31.091711998 CET	50126	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.091727972 CET	50126	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.091783047 CET	445	50125	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:31.091840982 CET	50125	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:31.096636057 CET	445	50126	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:31.716217995 CET	50137	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:31.721088886 CET	445	50137	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:31.721200943 CET	50137	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:31.721219063 CET	50137	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:31.726052999 CET	445	50137	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:32.532027960 CET	445	49754	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:32.532253981 CET	49754	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:32.532253981 CET	49754	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:32.532315969 CET	49754	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:32.537169933 CET	445	49754	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:32.537201881 CET	445	49754	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:33.091639996 CET	50161	445	192.168.2.6	54.192.5.196
Jan 15, 2025 19:07:33.096496105 CET	445	50161	54.192.5.196	192.168.2.6
Jan 15, 2025 19:07:33.096616983 CET	50161	445	192.168.2.6	54.192.5.196
Jan 15, 2025 19:07:33.096669912 CET	50161	445	192.168.2.6	54.192.5.196
Jan 15, 2025 19:07:33.096911907 CET	50162	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.101747036 CET	445	50162	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:33.101830959 CET	445	50161	54.192.5.196	192.168.2.6
Jan 15, 2025 19:07:33.101897001 CET	50162	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.101933956 CET	50161	445	192.168.2.6	54.192.5.196
Jan 15, 2025 19:07:33.102092028 CET	50162	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.102499962 CET	50163	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.106914043 CET	445	50162	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:33.107420921 CET	445	50163	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:33.107510090 CET	50162	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.107558966 CET	50163	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.107630968 CET	50163	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:33.112442017 CET	445	50163	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:33.357063055 CET	445	50137	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:33.357170105 CET	50137	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:33.357206106 CET	50137	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:33.357232094 CET	50137	445	192.168.2.6	104.205.84.1
Jan 15, 2025 19:07:33.362124920 CET	445	50137	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:33.362157106 CET	445	50137	104.205.84.1	192.168.2.6
Jan 15, 2025 19:07:33.419404030 CET	50169	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.424370050 CET	445	50169	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:33.424436092 CET	50169	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.424499989 CET	50169	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.424715042 CET	50171	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.429441929 CET	445	50169	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:33.429512978 CET	445	50171	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:33.429527044 CET	50169	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.429573059 CET	50171	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.429619074 CET	50171	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:33.434508085 CET	445	50171	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:33.685265064 CET	50175	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:33.690191984 CET	445	50175	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:33.690304041 CET	50175	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:33.693955898 CET	50175	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:33.698797941 CET	445	50175	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:34.343050957 CET	445	49787	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:34.343210936 CET	49787	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:34.343211889 CET	49787	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:34.343266964 CET	49787	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:34.348282099 CET	445	49787	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:34.348300934 CET	445	49787	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:35.109550953 CET	50190	445	192.168.2.6	53.194.27.144
Jan 15, 2025 19:07:35.114536047 CET	445	50190	53.194.27.144	192.168.2.6
Jan 15, 2025 19:07:35.114656925 CET	50190	445	192.168.2.6	53.194.27.144
Jan 15, 2025 19:07:35.114708900 CET	50190	445	192.168.2.6	53.194.27.144
Jan 15, 2025 19:07:35.114860058 CET	50191	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.119699001 CET	445	50190	53.194.27.144	192.168.2.6
Jan 15, 2025 19:07:35.119751930 CET	445	50191	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:35.119762897 CET	50190	445	192.168.2.6	53.194.27.144
Jan 15, 2025 19:07:35.119831085 CET	50191	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.119930029 CET	50191	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.120186090 CET	50192	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.124777079 CET	445	50191	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:35.124835014 CET	50191	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.125051022 CET	445	50192	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:35.125127077 CET	50192	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.125139952 CET	50192	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:35.130116940 CET	445	50192	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:35.544482946 CET	50195	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:35.549470901 CET	445	50195	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:35.549707890 CET	50195	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:35.549736023 CET	50195	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:35.554577112 CET	445	50195	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:36.354484081 CET	445	49824	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:36.354547977 CET	49824	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:36.354598999 CET	49824	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:36.354660034 CET	49824	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:36.359338045 CET	445	49824	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:36.359421968 CET	445	49824	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:37.130088091 CET	50206	445	192.168.2.6	117.29.223.41
Jan 15, 2025 19:07:37.135126114 CET	445	50206	117.29.223.41	192.168.2.6
Jan 15, 2025 19:07:37.135241985 CET	50206	445	192.168.2.6	117.29.223.41
Jan 15, 2025 19:07:37.135303974 CET	50206	445	192.168.2.6	117.29.223.41
Jan 15, 2025 19:07:37.135445118 CET	50207	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.140352964 CET	445	50207	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:37.140448093 CET	50207	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.140490055 CET	50207	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.140578985 CET	445	50206	117.29.223.41	192.168.2.6
Jan 15, 2025 19:07:37.141253948 CET	50206	445	192.168.2.6	117.29.223.41
Jan 15, 2025 19:07:37.146277905 CET	445	50207	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:37.146434069 CET	50208	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.146466017 CET	50207	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.151422024 CET	445	50208	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:37.151496887 CET	50208	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.151544094 CET	50208	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:37.156393051 CET	445	50208	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:37.356879950 CET	50212	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:37.361898899 CET	445	50212	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:37.366250992 CET	50212	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:37.366292953 CET	50212	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:37.371131897 CET	445	50212	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:38.323344946 CET	445	49863	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:38.323446035 CET	49863	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:38.323446989 CET	49863	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:38.323548079 CET	49863	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:38.328480005 CET	445	49863	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:38.328510046 CET	445	49863	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:39.138400078 CET	50223	445	192.168.2.6	153.143.158.197
Jan 15, 2025 19:07:39.146756887 CET	445	50223	153.143.158.197	192.168.2.6
Jan 15, 2025 19:07:39.146910906 CET	50223	445	192.168.2.6	153.143.158.197
Jan 15, 2025 19:07:39.147030115 CET	50224	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.147037983 CET	50223	445	192.168.2.6	153.143.158.197
Jan 15, 2025 19:07:39.156424046 CET	445	50224	153.143.158.1	192.168.2.6
Jan 15, 2025 19:07:39.156599998 CET	445	50223	153.143.158.197	192.168.2.6
Jan 15, 2025 19:07:39.156620026 CET	50224	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.156831026 CET	50224	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.156841040 CET	50223	445	192.168.2.6	153.143.158.197
Jan 15, 2025 19:07:39.157035112 CET	50225	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.166346073 CET	445	50224	153.143.158.1	192.168.2.6
Jan 15, 2025 19:07:39.166429043 CET	50224	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.166649103 CET	445	50225	153.143.158.1	192.168.2.6
Jan 15, 2025 19:07:39.166831970 CET	50225	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.166831970 CET	50225	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:07:39.176436901 CET	445	50225	153.143.158.1	192.168.2.6
Jan 15, 2025 19:07:39.357017040 CET	50228	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:39.366512060 CET	445	50228	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:39.366611004 CET	50228	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:39.366693020 CET	50228	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:07:39.376329899 CET	445	50228	173.218.135.1	192.168.2.6
Jan 15, 2025 19:07:40.374283075 CET	445	49898	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:40.374433994 CET	49898	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:40.374495983 CET	49898	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:40.374557972 CET	49898	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:40.379767895 CET	445	49898	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:40.379787922 CET	445	49898	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:41.154514074 CET	50241	445	192.168.2.6	63.35.17.92
Jan 15, 2025 19:07:41.159702063 CET	445	50241	63.35.17.92	192.168.2.6
Jan 15, 2025 19:07:41.160073042 CET	50241	445	192.168.2.6	63.35.17.92
Jan 15, 2025 19:07:41.160073042 CET	50241	445	192.168.2.6	63.35.17.92
Jan 15, 2025 19:07:41.160165071 CET	50242	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.165498972 CET	445	50242	63.35.17.1	192.168.2.6
Jan 15, 2025 19:07:41.165510893 CET	445	50241	63.35.17.92	192.168.2.6
Jan 15, 2025 19:07:41.165766001 CET	50241	445	192.168.2.6	63.35.17.92
Jan 15, 2025 19:07:41.165766001 CET	50242	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.165766954 CET	50242	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.166162014 CET	50243	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.171037912 CET	445	50242	63.35.17.1	192.168.2.6
Jan 15, 2025 19:07:41.171052933 CET	445	50243	63.35.17.1	192.168.2.6
Jan 15, 2025 19:07:41.171144962 CET	50242	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.171308994 CET	50243	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.171308994 CET	50243	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:07:41.176141024 CET	445	50243	63.35.17.1	192.168.2.6
Jan 15, 2025 19:07:41.325809956 CET	50244	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:41.330617905 CET	445	50244	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:41.330709934 CET	50244	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:41.330768108 CET	50244	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:07:41.335551977 CET	445	50244	203.128.199.1	192.168.2.6
Jan 15, 2025 19:07:41.534285069 CET	443	49952	173.222.162.64	192.168.2.6
Jan 15, 2025 19:07:41.534408092 CET	49952	443	192.168.2.6	173.222.162.64
Jan 15, 2025 19:07:42.386821985 CET	445	49938	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:42.386897087 CET	49938	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:42.386990070 CET	49938	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:42.386990070 CET	49938	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:42.392883062 CET	445	49938	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:42.392894030 CET	445	49938	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:43.169670105 CET	50258	445	192.168.2.6	60.208.232.173
Jan 15, 2025 19:07:43.174546003 CET	445	50258	60.208.232.173	192.168.2.6
Jan 15, 2025 19:07:43.174638033 CET	50258	445	192.168.2.6	60.208.232.173
Jan 15, 2025 19:07:43.174673080 CET	50258	445	192.168.2.6	60.208.232.173
Jan 15, 2025 19:07:43.174798965 CET	50259	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.179625034 CET	445	50259	60.208.232.1	192.168.2.6
Jan 15, 2025 19:07:43.179691076 CET	50259	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.179712057 CET	50259	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.179738998 CET	445	50258	60.208.232.173	192.168.2.6
Jan 15, 2025 19:07:43.180049896 CET	50260	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.180077076 CET	50258	445	192.168.2.6	60.208.232.173
Jan 15, 2025 19:07:43.184717894 CET	445	50259	60.208.232.1	192.168.2.6
Jan 15, 2025 19:07:43.184844017 CET	50259	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.184911966 CET	445	50260	60.208.232.1	192.168.2.6
Jan 15, 2025 19:07:43.184993029 CET	50260	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.185007095 CET	50260	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:07:43.189819098 CET	445	50260	60.208.232.1	192.168.2.6
Jan 15, 2025 19:07:43.388096094 CET	50263	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:43.392995119 CET	445	50263	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:43.393157959 CET	50263	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:43.393157959 CET	50263	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:07:43.398015022 CET	445	50263	138.181.159.1	192.168.2.6
Jan 15, 2025 19:07:43.427464008 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:43.427516937 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:43.427603006 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:43.428333998 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:43.428348064 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.230834007 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.230930090 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.235912085 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.235934019 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.236713886 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.238032103 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.238092899 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.238096952 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.238192081 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.279326916 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.401717901 CET	445	49977	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:44.401787996 CET	49977	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:44.401818991 CET	49977	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:44.401845932 CET	49977	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:44.406734943 CET	445	49977	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:44.406764984 CET	445	49977	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:44.410409927 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.410619974 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.410681009 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.413705111 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:44.413722992 CET	443	50264	40.115.3.253	192.168.2.6
Jan 15, 2025 19:07:44.413738966 CET	50264	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:07:45.044817924 CET	50275	445	192.168.2.6	56.85.51.143
Jan 15, 2025 19:07:45.049927950 CET	445	50275	56.85.51.143	192.168.2.6
Jan 15, 2025 19:07:45.050043106 CET	50275	445	192.168.2.6	56.85.51.143
Jan 15, 2025 19:07:45.050754070 CET	50275	445	192.168.2.6	56.85.51.143
Jan 15, 2025 19:07:45.050940037 CET	50276	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.055645943 CET	445	50275	56.85.51.143	192.168.2.6
Jan 15, 2025 19:07:45.055752993 CET	50275	445	192.168.2.6	56.85.51.143
Jan 15, 2025 19:07:45.055897951 CET	445	50276	56.85.51.1	192.168.2.6
Jan 15, 2025 19:07:45.055984020 CET	50276	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.057794094 CET	50276	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.058049917 CET	50277	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.062699080 CET	445	50276	56.85.51.1	192.168.2.6
Jan 15, 2025 19:07:45.062769890 CET	50276	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.062956095 CET	445	50277	56.85.51.1	192.168.2.6
Jan 15, 2025 19:07:45.063031912 CET	50277	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.063095093 CET	50277	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:07:45.067872047 CET	445	50277	56.85.51.1	192.168.2.6
Jan 15, 2025 19:07:45.388246059 CET	50279	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:45.393094063 CET	445	50279	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:45.393291950 CET	50279	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:45.400283098 CET	50279	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:07:45.405029058 CET	445	50279	74.134.76.1	192.168.2.6
Jan 15, 2025 19:07:46.416755915 CET	445	50012	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:46.416836977 CET	50012	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:46.416876078 CET	50012	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:46.416903973 CET	50012	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:46.422533035 CET	445	50012	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:46.422580004 CET	445	50012	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:46.794723988 CET	50290	445	192.168.2.6	200.198.81.71
Jan 15, 2025 19:07:46.799781084 CET	445	50290	200.198.81.71	192.168.2.6
Jan 15, 2025 19:07:46.799985886 CET	50290	445	192.168.2.6	200.198.81.71
Jan 15, 2025 19:07:46.800076962 CET	50290	445	192.168.2.6	200.198.81.71
Jan 15, 2025 19:07:46.800425053 CET	50291	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.805263996 CET	445	50290	200.198.81.71	192.168.2.6
Jan 15, 2025 19:07:46.805315018 CET	445	50291	200.198.81.1	192.168.2.6
Jan 15, 2025 19:07:46.805344105 CET	50290	445	192.168.2.6	200.198.81.71
Jan 15, 2025 19:07:46.805411100 CET	50291	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.805574894 CET	50291	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.806014061 CET	50292	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.810584068 CET	445	50291	200.198.81.1	192.168.2.6
Jan 15, 2025 19:07:46.810673952 CET	50291	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.810895920 CET	445	50292	200.198.81.1	192.168.2.6
Jan 15, 2025 19:07:46.810971022 CET	50292	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.811007023 CET	50292	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:07:46.815792084 CET	445	50292	200.198.81.1	192.168.2.6
Jan 15, 2025 19:07:47.403759003 CET	50297	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:47.408824921 CET	445	50297	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:47.408899069 CET	50297	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:47.408952951 CET	50297	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:07:47.414047956 CET	445	50297	15.8.58.1	192.168.2.6
Jan 15, 2025 19:07:48.435570955 CET	50304	445	192.168.2.6	117.41.142.10
Jan 15, 2025 19:07:48.440480947 CET	445	50304	117.41.142.10	192.168.2.6
Jan 15, 2025 19:07:48.440572977 CET	50304	445	192.168.2.6	117.41.142.10
Jan 15, 2025 19:07:48.440618038 CET	50304	445	192.168.2.6	117.41.142.10
Jan 15, 2025 19:07:48.440740108 CET	50305	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.445521116 CET	445	50305	117.41.142.1	192.168.2.6
Jan 15, 2025 19:07:48.445589066 CET	50305	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.445612907 CET	50305	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.445617914 CET	445	50304	117.41.142.10	192.168.2.6
Jan 15, 2025 19:07:48.445678949 CET	50304	445	192.168.2.6	117.41.142.10
Jan 15, 2025 19:07:48.445959091 CET	50306	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.450541973 CET	445	50305	117.41.142.1	192.168.2.6
Jan 15, 2025 19:07:48.450597048 CET	50305	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.450865030 CET	445	50306	117.41.142.1	192.168.2.6
Jan 15, 2025 19:07:48.450939894 CET	50306	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.450993061 CET	50306	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:07:48.455960035 CET	445	50306	117.41.142.1	192.168.2.6
Jan 15, 2025 19:07:49.419349909 CET	50315	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:49.424175024 CET	445	50315	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:49.424248934 CET	50315	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:49.424299002 CET	50315	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:07:49.429049015 CET	445	50315	100.85.225.1	192.168.2.6
Jan 15, 2025 19:07:49.966727972 CET	50318	445	192.168.2.6	74.226.207.102
Jan 15, 2025 19:07:49.971667051 CET	445	50318	74.226.207.102	192.168.2.6
Jan 15, 2025 19:07:49.971787930 CET	50318	445	192.168.2.6	74.226.207.102
Jan 15, 2025 19:07:49.971848011 CET	50318	445	192.168.2.6	74.226.207.102
Jan 15, 2025 19:07:49.972141981 CET	50319	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.976845026 CET	445	50318	74.226.207.102	192.168.2.6
Jan 15, 2025 19:07:49.977121115 CET	445	50319	74.226.207.1	192.168.2.6
Jan 15, 2025 19:07:49.977190971 CET	50319	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.977226019 CET	50319	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.977252007 CET	445	50318	74.226.207.102	192.168.2.6
Jan 15, 2025 19:07:49.977313042 CET	50318	445	192.168.2.6	74.226.207.102
Jan 15, 2025 19:07:49.977444887 CET	50320	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.982175112 CET	445	50319	74.226.207.1	192.168.2.6
Jan 15, 2025 19:07:49.982254982 CET	50319	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.982292891 CET	445	50320	74.226.207.1	192.168.2.6
Jan 15, 2025 19:07:49.982381105 CET	50320	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.982381105 CET	50320	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:07:49.987200022 CET	445	50320	74.226.207.1	192.168.2.6
Jan 15, 2025 19:07:50.438658953 CET	445	50086	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:50.438752890 CET	50086	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:50.438803911 CET	50086	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:50.438827038 CET	50086	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:50.443696976 CET	445	50086	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:50.443706989 CET	445	50086	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:51.388660908 CET	50325	445	192.168.2.6	149.241.237.229
Jan 15, 2025 19:07:51.393640995 CET	445	50325	149.241.237.229	192.168.2.6
Jan 15, 2025 19:07:51.393752098 CET	50325	445	192.168.2.6	149.241.237.229
Jan 15, 2025 19:07:51.393773079 CET	50325	445	192.168.2.6	149.241.237.229
Jan 15, 2025 19:07:51.393968105 CET	50326	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.399224043 CET	445	50325	149.241.237.229	192.168.2.6
Jan 15, 2025 19:07:51.399272919 CET	445	50326	149.241.237.1	192.168.2.6
Jan 15, 2025 19:07:51.399539948 CET	50325	445	192.168.2.6	149.241.237.229
Jan 15, 2025 19:07:51.399641991 CET	50326	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.399641991 CET	50326	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.400167942 CET	50327	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.404683113 CET	445	50326	149.241.237.1	192.168.2.6
Jan 15, 2025 19:07:51.404764891 CET	50326	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.405050993 CET	445	50327	149.241.237.1	192.168.2.6
Jan 15, 2025 19:07:51.405138016 CET	50327	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.405196905 CET	50327	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:07:51.410012960 CET	445	50327	149.241.237.1	192.168.2.6
Jan 15, 2025 19:07:52.466298103 CET	445	50126	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:52.466399908 CET	50126	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:52.466451883 CET	50126	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:52.466501951 CET	50126	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:52.471472025 CET	445	50126	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:52.471486092 CET	445	50126	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:52.747355938 CET	50328	445	192.168.2.6	7.192.148.128
Jan 15, 2025 19:07:52.752413988 CET	445	50328	7.192.148.128	192.168.2.6
Jan 15, 2025 19:07:52.752542973 CET	50328	445	192.168.2.6	7.192.148.128
Jan 15, 2025 19:07:52.752595901 CET	50328	445	192.168.2.6	7.192.148.128
Jan 15, 2025 19:07:52.752759933 CET	50329	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.757556915 CET	445	50329	7.192.148.1	192.168.2.6
Jan 15, 2025 19:07:52.757636070 CET	50329	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.757862091 CET	50329	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.758181095 CET	50330	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.758327007 CET	445	50328	7.192.148.128	192.168.2.6
Jan 15, 2025 19:07:52.758389950 CET	50328	445	192.168.2.6	7.192.148.128
Jan 15, 2025 19:07:52.762723923 CET	445	50329	7.192.148.1	192.168.2.6
Jan 15, 2025 19:07:52.762788057 CET	50329	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.762988091 CET	445	50330	7.192.148.1	192.168.2.6
Jan 15, 2025 19:07:52.763053894 CET	50330	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.763098001 CET	50330	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:07:52.767832041 CET	445	50330	7.192.148.1	192.168.2.6
Jan 15, 2025 19:07:53.450679064 CET	50331	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:53.455630064 CET	445	50331	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:53.455738068 CET	50331	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:53.455787897 CET	50331	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:07:53.460566044 CET	445	50331	32.52.139.1	192.168.2.6
Jan 15, 2025 19:07:53.951919079 CET	50332	445	192.168.2.6	160.120.91.248
Jan 15, 2025 19:07:53.956970930 CET	445	50332	160.120.91.248	192.168.2.6
Jan 15, 2025 19:07:53.957087040 CET	50332	445	192.168.2.6	160.120.91.248
Jan 15, 2025 19:07:53.957139015 CET	50332	445	192.168.2.6	160.120.91.248
Jan 15, 2025 19:07:53.957357883 CET	50333	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.962151051 CET	445	50332	160.120.91.248	192.168.2.6
Jan 15, 2025 19:07:53.962208986 CET	445	50333	160.120.91.1	192.168.2.6
Jan 15, 2025 19:07:53.962224960 CET	50332	445	192.168.2.6	160.120.91.248
Jan 15, 2025 19:07:53.962291956 CET	50333	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.962378025 CET	50333	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.962675095 CET	50334	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.967365980 CET	445	50333	160.120.91.1	192.168.2.6
Jan 15, 2025 19:07:53.967561960 CET	445	50334	160.120.91.1	192.168.2.6
Jan 15, 2025 19:07:53.967619896 CET	50333	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.967641115 CET	50334	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.967694998 CET	50334	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:07:53.972486019 CET	445	50334	160.120.91.1	192.168.2.6
Jan 15, 2025 19:07:54.513029099 CET	445	50163	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:54.513149023 CET	50163	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:54.513209105 CET	50163	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:54.513231039 CET	50163	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:54.519049883 CET	445	50163	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:54.519063950 CET	445	50163	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:54.791965008 CET	445	50171	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:54.792037010 CET	50171	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:54.792181015 CET	50171	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:54.792244911 CET	50171	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:54.797014952 CET	445	50171	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:54.797060966 CET	445	50171	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:55.042624950 CET	445	50175	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:55.042767048 CET	50175	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:55.042889118 CET	50175	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:55.042968035 CET	50175	445	192.168.2.6	49.114.69.1
Jan 15, 2025 19:07:55.047730923 CET	445	50175	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:55.048012018 CET	445	50175	49.114.69.1	192.168.2.6
Jan 15, 2025 19:07:55.107081890 CET	50335	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.107256889 CET	50336	445	192.168.2.6	203.223.187.164
Jan 15, 2025 19:07:55.112025976 CET	445	50335	49.114.69.2	192.168.2.6
Jan 15, 2025 19:07:55.112061024 CET	445	50336	203.223.187.164	192.168.2.6
Jan 15, 2025 19:07:55.112132072 CET	50335	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.112169981 CET	50336	445	192.168.2.6	203.223.187.164
Jan 15, 2025 19:07:55.112286091 CET	50335	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.112382889 CET	50336	445	192.168.2.6	203.223.187.164
Jan 15, 2025 19:07:55.112519026 CET	50337	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.112715006 CET	50338	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.117253065 CET	445	50335	49.114.69.2	192.168.2.6
Jan 15, 2025 19:07:55.117327929 CET	50335	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.117351055 CET	445	50337	203.223.187.1	192.168.2.6
Jan 15, 2025 19:07:55.117384911 CET	445	50336	203.223.187.164	192.168.2.6
Jan 15, 2025 19:07:55.117410898 CET	50337	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.117432117 CET	50336	445	192.168.2.6	203.223.187.164
Jan 15, 2025 19:07:55.117507935 CET	50337	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.117508888 CET	445	50338	49.114.69.2	192.168.2.6
Jan 15, 2025 19:07:55.117573023 CET	50338	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.117619038 CET	50338	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:07:55.117747068 CET	50339	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.122335911 CET	445	50337	203.223.187.1	192.168.2.6
Jan 15, 2025 19:07:55.122390985 CET	50337	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.122400999 CET	445	50338	49.114.69.2	192.168.2.6
Jan 15, 2025 19:07:55.122474909 CET	445	50339	203.223.187.1	192.168.2.6
Jan 15, 2025 19:07:55.122550964 CET	50339	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.122551918 CET	50339	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:07:55.127310991 CET	445	50339	203.223.187.1	192.168.2.6
Jan 15, 2025 19:07:55.481987953 CET	50340	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:55.486915112 CET	445	50340	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:55.487019062 CET	50340	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:55.487076044 CET	50340	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:07:55.491823912 CET	445	50340	7.138.150.1	192.168.2.6
Jan 15, 2025 19:07:56.185487986 CET	50341	445	192.168.2.6	209.63.158.237
Jan 15, 2025 19:07:56.190593958 CET	445	50341	209.63.158.237	192.168.2.6
Jan 15, 2025 19:07:56.190723896 CET	50341	445	192.168.2.6	209.63.158.237
Jan 15, 2025 19:07:56.190723896 CET	50341	445	192.168.2.6	209.63.158.237
Jan 15, 2025 19:07:56.190813065 CET	50342	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.195888996 CET	445	50342	209.63.158.1	192.168.2.6
Jan 15, 2025 19:07:56.196002007 CET	50342	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.196002007 CET	50342	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.196094990 CET	445	50341	209.63.158.237	192.168.2.6
Jan 15, 2025 19:07:56.196167946 CET	50341	445	192.168.2.6	209.63.158.237
Jan 15, 2025 19:07:56.196310043 CET	50343	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.201401949 CET	445	50342	209.63.158.1	192.168.2.6
Jan 15, 2025 19:07:56.201432943 CET	445	50343	209.63.158.1	192.168.2.6
Jan 15, 2025 19:07:56.201471090 CET	50342	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.201512098 CET	50343	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.201545954 CET	50343	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:07:56.206367016 CET	445	50343	209.63.158.1	192.168.2.6
Jan 15, 2025 19:07:56.497688055 CET	445	50192	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:56.497773886 CET	50192	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:56.497814894 CET	50192	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:56.497848988 CET	50192	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:56.502717972 CET	445	50192	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:56.502789021 CET	445	50192	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:56.917726040 CET	445	50195	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:56.918061018 CET	50195	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:56.918061972 CET	50195	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:56.918746948 CET	50195	445	192.168.2.6	158.87.244.1
Jan 15, 2025 19:07:56.923763990 CET	445	50195	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:56.924282074 CET	445	50195	158.87.244.1	192.168.2.6
Jan 15, 2025 19:07:56.982055902 CET	50344	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.986959934 CET	445	50344	158.87.244.2	192.168.2.6
Jan 15, 2025 19:07:56.987066031 CET	50344	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.987080097 CET	50344	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.987355947 CET	50345	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.991965055 CET	445	50344	158.87.244.2	192.168.2.6
Jan 15, 2025 19:07:56.992031097 CET	50344	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.992162943 CET	445	50345	158.87.244.2	192.168.2.6
Jan 15, 2025 19:07:56.992244959 CET	50345	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.992290020 CET	50345	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:07:56.997021914 CET	445	50345	158.87.244.2	192.168.2.6
Jan 15, 2025 19:07:57.529335022 CET	50347	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:57.536782980 CET	445	50347	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:57.536902905 CET	50347	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:57.537085056 CET	50347	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:07:57.543690920 CET	445	50347	54.192.5.1	192.168.2.6
Jan 15, 2025 19:07:57.811491013 CET	50348	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:57.817121983 CET	445	50348	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:57.817223072 CET	50348	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:57.817269087 CET	50348	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:07:57.823009968 CET	445	50348	104.205.84.2	192.168.2.6
Jan 15, 2025 19:07:58.276407957 CET	50349	445	192.168.2.6	23.94.219.189
Jan 15, 2025 19:07:58.281374931 CET	445	50349	23.94.219.189	192.168.2.6
Jan 15, 2025 19:07:58.281481028 CET	50349	445	192.168.2.6	23.94.219.189
Jan 15, 2025 19:07:58.284516096 CET	50349	445	192.168.2.6	23.94.219.189
Jan 15, 2025 19:07:58.284750938 CET	50350	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.289560080 CET	445	50350	23.94.219.1	192.168.2.6
Jan 15, 2025 19:07:58.289575100 CET	445	50349	23.94.219.189	192.168.2.6
Jan 15, 2025 19:07:58.289669037 CET	50350	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.289719105 CET	50349	445	192.168.2.6	23.94.219.189
Jan 15, 2025 19:07:58.309585094 CET	50350	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.310766935 CET	50351	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.314532042 CET	445	50350	23.94.219.1	192.168.2.6
Jan 15, 2025 19:07:58.314599991 CET	50350	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.315601110 CET	445	50351	23.94.219.1	192.168.2.6
Jan 15, 2025 19:07:58.315670013 CET	50351	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.315910101 CET	50351	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:07:58.320785046 CET	445	50351	23.94.219.1	192.168.2.6
Jan 15, 2025 19:07:58.388261080 CET	50352	445	192.168.2.6	118.54.82.136
Jan 15, 2025 19:07:58.393177986 CET	445	50352	118.54.82.136	192.168.2.6
Jan 15, 2025 19:07:58.393253088 CET	50352	445	192.168.2.6	118.54.82.136
Jan 15, 2025 19:07:58.393296957 CET	50352	445	192.168.2.6	118.54.82.136
Jan 15, 2025 19:07:58.393528938 CET	50353	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.398212910 CET	445	50352	118.54.82.136	192.168.2.6
Jan 15, 2025 19:07:58.398271084 CET	50352	445	192.168.2.6	118.54.82.136
Jan 15, 2025 19:07:58.398297071 CET	445	50353	118.54.82.1	192.168.2.6
Jan 15, 2025 19:07:58.398355961 CET	50353	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.398391008 CET	50353	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.398967028 CET	50354	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.403558969 CET	445	50353	118.54.82.1	192.168.2.6
Jan 15, 2025 19:07:58.403626919 CET	50353	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.404084921 CET	445	50354	118.54.82.1	192.168.2.6
Jan 15, 2025 19:07:58.404154062 CET	50354	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.404201031 CET	50354	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:07:58.408947945 CET	445	50354	118.54.82.1	192.168.2.6
Jan 15, 2025 19:07:58.548374891 CET	445	50208	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:58.548510075 CET	50208	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:58.548543930 CET	50208	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:58.548578978 CET	50208	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:07:58.554785967 CET	445	50208	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:58.554817915 CET	445	50208	117.29.223.1	192.168.2.6
Jan 15, 2025 19:07:58.745901108 CET	445	50212	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:58.745979071 CET	50212	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:58.746059895 CET	50212	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:58.746146917 CET	50212	445	192.168.2.6	75.228.122.1
Jan 15, 2025 19:07:58.750804901 CET	445	50212	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:58.750909090 CET	445	50212	75.228.122.1	192.168.2.6
Jan 15, 2025 19:07:58.810504913 CET	50356	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.815359116 CET	445	50356	75.228.122.2	192.168.2.6
Jan 15, 2025 19:07:58.815440893 CET	50356	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.815638065 CET	50356	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.816358089 CET	50357	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.820477009 CET	445	50356	75.228.122.2	192.168.2.6
Jan 15, 2025 19:07:58.820545912 CET	50356	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.821132898 CET	445	50357	75.228.122.2	192.168.2.6
Jan 15, 2025 19:07:58.821299076 CET	50357	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.823530912 CET	50357	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:07:58.828344107 CET	445	50357	75.228.122.2	192.168.2.6
Jan 15, 2025 19:07:59.076035976 CET	50358	445	192.168.2.6	126.115.83.115
Jan 15, 2025 19:07:59.081528902 CET	445	50358	126.115.83.115	192.168.2.6
Jan 15, 2025 19:07:59.081625938 CET	50358	445	192.168.2.6	126.115.83.115
Jan 15, 2025 19:07:59.081665039 CET	50358	445	192.168.2.6	126.115.83.115
Jan 15, 2025 19:07:59.081779003 CET	50359	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.086668968 CET	445	50359	126.115.83.1	192.168.2.6
Jan 15, 2025 19:07:59.086749077 CET	50359	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.086826086 CET	50359	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.086946011 CET	445	50358	126.115.83.115	192.168.2.6
Jan 15, 2025 19:07:59.087006092 CET	50358	445	192.168.2.6	126.115.83.115
Jan 15, 2025 19:07:59.087196112 CET	50360	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.091794014 CET	445	50359	126.115.83.1	192.168.2.6
Jan 15, 2025 19:07:59.091893911 CET	50359	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.092133045 CET	445	50360	126.115.83.1	192.168.2.6
Jan 15, 2025 19:07:59.092250109 CET	50360	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.092345953 CET	50360	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:07:59.097150087 CET	445	50360	126.115.83.1	192.168.2.6
Jan 15, 2025 19:07:59.514703989 CET	50361	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:59.519824982 CET	445	50361	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:59.519922018 CET	50361	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:59.519965887 CET	50361	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:07:59.524858952 CET	445	50361	53.194.27.1	192.168.2.6
Jan 15, 2025 19:07:59.904352903 CET	50362	445	192.168.2.6	186.162.98.9
Jan 15, 2025 19:07:59.909423113 CET	445	50362	186.162.98.9	192.168.2.6
Jan 15, 2025 19:07:59.912786961 CET	50362	445	192.168.2.6	186.162.98.9
Jan 15, 2025 19:07:59.912872076 CET	50362	445	192.168.2.6	186.162.98.9
Jan 15, 2025 19:07:59.913105965 CET	50363	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.917972088 CET	445	50363	186.162.98.1	192.168.2.6
Jan 15, 2025 19:07:59.918005943 CET	445	50362	186.162.98.9	192.168.2.6
Jan 15, 2025 19:07:59.918103933 CET	50362	445	192.168.2.6	186.162.98.9
Jan 15, 2025 19:07:59.918117046 CET	50363	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.918224096 CET	50363	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.918589115 CET	50364	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.923100948 CET	445	50363	186.162.98.1	192.168.2.6
Jan 15, 2025 19:07:59.923410892 CET	445	50364	186.162.98.1	192.168.2.6
Jan 15, 2025 19:07:59.923480988 CET	50363	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.923516035 CET	50364	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.923551083 CET	50364	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:07:59.928343058 CET	445	50364	186.162.98.1	192.168.2.6
Jan 15, 2025 19:08:00.513906002 CET	445	50225	153.143.158.1	192.168.2.6
Jan 15, 2025 19:08:00.514061928 CET	50225	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:00.514183998 CET	50225	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:00.514230013 CET	50225	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:00.519016027 CET	445	50225	153.143.158.1	192.168.2.6
Jan 15, 2025 19:08:00.519033909 CET	445	50225	153.143.158.1	192.168.2.6
Jan 15, 2025 19:08:00.677325010 CET	50365	445	192.168.2.6	216.15.111.218
Jan 15, 2025 19:08:00.682456017 CET	445	50365	216.15.111.218	192.168.2.6
Jan 15, 2025 19:08:00.682559967 CET	50365	445	192.168.2.6	216.15.111.218
Jan 15, 2025 19:08:00.682632923 CET	50365	445	192.168.2.6	216.15.111.218
Jan 15, 2025 19:08:00.682790041 CET	50366	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.687774897 CET	445	50366	216.15.111.1	192.168.2.6
Jan 15, 2025 19:08:00.687808037 CET	445	50365	216.15.111.218	192.168.2.6
Jan 15, 2025 19:08:00.687922955 CET	50365	445	192.168.2.6	216.15.111.218
Jan 15, 2025 19:08:00.687922955 CET	50366	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.691889048 CET	50366	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.692893982 CET	50367	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.696743965 CET	445	50366	216.15.111.1	192.168.2.6
Jan 15, 2025 19:08:00.696835041 CET	50366	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.697753906 CET	445	50367	216.15.111.1	192.168.2.6
Jan 15, 2025 19:08:00.697834969 CET	50367	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.699640036 CET	50367	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:00.704440117 CET	445	50367	216.15.111.1	192.168.2.6
Jan 15, 2025 19:08:00.745937109 CET	445	50228	173.218.135.1	192.168.2.6
Jan 15, 2025 19:08:00.746160030 CET	50228	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:08:00.759784937 CET	50228	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:08:00.759784937 CET	50228	445	192.168.2.6	173.218.135.1
Jan 15, 2025 19:08:00.764908075 CET	445	50228	173.218.135.1	192.168.2.6
Jan 15, 2025 19:08:00.764947891 CET	445	50228	173.218.135.1	192.168.2.6
Jan 15, 2025 19:08:00.850472927 CET	50368	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.855674982 CET	445	50368	173.218.135.2	192.168.2.6
Jan 15, 2025 19:08:00.855777979 CET	50368	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.859610081 CET	50368	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.864523888 CET	445	50368	173.218.135.2	192.168.2.6
Jan 15, 2025 19:08:00.866624117 CET	50368	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.976231098 CET	50369	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.981215000 CET	445	50369	173.218.135.2	192.168.2.6
Jan 15, 2025 19:08:00.981302023 CET	50369	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.981323957 CET	50369	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:00.986115932 CET	445	50369	173.218.135.2	192.168.2.6
Jan 15, 2025 19:08:01.041080952 CET	445	50360	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:01.041222095 CET	50360	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:01.051574945 CET	50360	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:01.051716089 CET	50360	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:01.056546926 CET	445	50360	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:01.056581974 CET	445	50360	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:01.560249090 CET	50371	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:08:01.566181898 CET	445	50371	117.29.223.1	192.168.2.6
Jan 15, 2025 19:08:01.566359043 CET	50371	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:08:01.566359043 CET	50371	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:08:01.571356058 CET	445	50371	117.29.223.1	192.168.2.6
Jan 15, 2025 19:08:02.562516928 CET	445	50243	63.35.17.1	192.168.2.6
Jan 15, 2025 19:08:02.562880039 CET	50243	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:02.562880039 CET	50243	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:02.562947035 CET	50243	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:02.570368052 CET	445	50243	63.35.17.1	192.168.2.6
Jan 15, 2025 19:08:02.570383072 CET	445	50243	63.35.17.1	192.168.2.6
Jan 15, 2025 19:08:02.702385902 CET	445	50244	203.128.199.1	192.168.2.6
Jan 15, 2025 19:08:02.702689886 CET	50244	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:08:02.702689886 CET	50244	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:08:02.706312895 CET	50244	445	192.168.2.6	203.128.199.1
Jan 15, 2025 19:08:02.710333109 CET	445	50244	203.128.199.1	192.168.2.6
Jan 15, 2025 19:08:02.711361885 CET	445	50244	203.128.199.1	192.168.2.6
Jan 15, 2025 19:08:02.763384104 CET	50375	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.768341064 CET	445	50375	203.128.199.2	192.168.2.6
Jan 15, 2025 19:08:02.768435955 CET	50375	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.768474102 CET	50375	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.768889904 CET	50376	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.774338961 CET	445	50375	203.128.199.2	192.168.2.6
Jan 15, 2025 19:08:02.774349928 CET	445	50376	203.128.199.2	192.168.2.6
Jan 15, 2025 19:08:02.774399042 CET	50375	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.774424076 CET	50376	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.774444103 CET	50376	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:02.779367924 CET	445	50376	203.128.199.2	192.168.2.6
Jan 15, 2025 19:08:03.529146910 CET	50379	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:03.534398079 CET	445	50379	153.143.158.1	192.168.2.6
Jan 15, 2025 19:08:03.534488916 CET	50379	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:03.534533024 CET	50379	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:03.539351940 CET	445	50379	153.143.158.1	192.168.2.6
Jan 15, 2025 19:08:04.060297966 CET	50383	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:04.066366911 CET	445	50383	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:04.066513062 CET	50383	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:04.069334984 CET	50383	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:04.074071884 CET	445	50383	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:04.595419884 CET	445	50260	60.208.232.1	192.168.2.6
Jan 15, 2025 19:08:04.595757008 CET	50260	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:04.595854998 CET	50260	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:04.595895052 CET	50260	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:04.600728035 CET	445	50260	60.208.232.1	192.168.2.6
Jan 15, 2025 19:08:04.600760937 CET	445	50260	60.208.232.1	192.168.2.6
Jan 15, 2025 19:08:04.762208939 CET	445	50263	138.181.159.1	192.168.2.6
Jan 15, 2025 19:08:04.762715101 CET	50263	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:08:04.762715101 CET	50263	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:08:04.762769938 CET	50263	445	192.168.2.6	138.181.159.1
Jan 15, 2025 19:08:04.767682076 CET	445	50263	138.181.159.1	192.168.2.6
Jan 15, 2025 19:08:04.767689943 CET	445	50263	138.181.159.1	192.168.2.6
Jan 15, 2025 19:08:04.825910091 CET	50389	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.830878973 CET	445	50389	138.181.159.2	192.168.2.6
Jan 15, 2025 19:08:04.830980062 CET	50389	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.831069946 CET	50389	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.831347942 CET	50390	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.836282969 CET	445	50389	138.181.159.2	192.168.2.6
Jan 15, 2025 19:08:04.836293936 CET	445	50390	138.181.159.2	192.168.2.6
Jan 15, 2025 19:08:04.836393118 CET	50389	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.836432934 CET	50390	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.836447001 CET	50390	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:04.841310024 CET	445	50390	138.181.159.2	192.168.2.6
Jan 15, 2025 19:08:05.575761080 CET	50397	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:05.580903053 CET	445	50397	63.35.17.1	192.168.2.6
Jan 15, 2025 19:08:05.581002951 CET	50397	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:05.581029892 CET	50397	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:05.585860014 CET	445	50397	63.35.17.1	192.168.2.6
Jan 15, 2025 19:08:05.630764961 CET	445	50343	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:05.630908012 CET	50343	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:05.630986929 CET	50343	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:05.631014109 CET	50343	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:05.636010885 CET	445	50343	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:05.636044025 CET	445	50343	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:06.054929018 CET	445	50383	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:06.055001020 CET	50383	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:06.055043936 CET	50383	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:06.055058956 CET	50383	445	192.168.2.6	126.115.83.1
Jan 15, 2025 19:08:06.059899092 CET	445	50383	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:06.059909105 CET	445	50383	126.115.83.1	192.168.2.6
Jan 15, 2025 19:08:06.099208117 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.099251032 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:06.099373102 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.100135088 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.100146055 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:06.107176065 CET	50405	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.112591982 CET	445	50405	126.115.83.2	192.168.2.6
Jan 15, 2025 19:08:06.112720966 CET	50405	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.112761021 CET	50405	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.113003969 CET	50406	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.117799997 CET	445	50406	126.115.83.2	192.168.2.6
Jan 15, 2025 19:08:06.117873907 CET	50406	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.117925882 CET	50406	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.119281054 CET	445	50405	126.115.83.2	192.168.2.6
Jan 15, 2025 19:08:06.119359970 CET	50405	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:06.122685909 CET	445	50406	126.115.83.2	192.168.2.6
Jan 15, 2025 19:08:06.435926914 CET	445	50277	56.85.51.1	192.168.2.6
Jan 15, 2025 19:08:06.436039925 CET	50277	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:06.436122894 CET	50277	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:06.436192989 CET	50277	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:06.444905996 CET	445	50277	56.85.51.1	192.168.2.6
Jan 15, 2025 19:08:06.444915056 CET	445	50277	56.85.51.1	192.168.2.6
Jan 15, 2025 19:08:06.779027939 CET	445	50279	74.134.76.1	192.168.2.6
Jan 15, 2025 19:08:06.779216051 CET	50279	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:08:06.779262066 CET	50279	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:08:06.779262066 CET	50279	445	192.168.2.6	74.134.76.1
Jan 15, 2025 19:08:06.784034014 CET	445	50279	74.134.76.1	192.168.2.6
Jan 15, 2025 19:08:06.784051895 CET	445	50279	74.134.76.1	192.168.2.6
Jan 15, 2025 19:08:06.841454029 CET	50414	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.846430063 CET	445	50414	74.134.76.2	192.168.2.6
Jan 15, 2025 19:08:06.846548080 CET	50414	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.846625090 CET	50414	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.847022057 CET	50415	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.851660967 CET	445	50414	74.134.76.2	192.168.2.6
Jan 15, 2025 19:08:06.851784945 CET	50414	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.852025986 CET	445	50415	74.134.76.2	192.168.2.6
Jan 15, 2025 19:08:06.852102995 CET	50415	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.852132082 CET	50415	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:06.856977940 CET	445	50415	74.134.76.2	192.168.2.6
Jan 15, 2025 19:08:06.921268940 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:06.921370983 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.923072100 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.923079014 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:06.923288107 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:06.925219059 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.925255060 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.925261021 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:06.925384045 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:06.967330933 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:07.159595013 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:07.159718037 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:07.159779072 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:07.159945011 CET	50404	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:07.159960985 CET	443	50404	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:07.607033968 CET	50425	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:07.613262892 CET	445	50425	60.208.232.1	192.168.2.6
Jan 15, 2025 19:08:07.613382101 CET	50425	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:07.613414049 CET	50425	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:07.618304968 CET	445	50425	60.208.232.1	192.168.2.6
Jan 15, 2025 19:08:08.152410984 CET	445	50292	200.198.81.1	192.168.2.6
Jan 15, 2025 19:08:08.152493954 CET	50292	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:08.152561903 CET	50292	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:08.152614117 CET	50292	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:08.157421112 CET	445	50292	200.198.81.1	192.168.2.6
Jan 15, 2025 19:08:08.157649040 CET	445	50292	200.198.81.1	192.168.2.6
Jan 15, 2025 19:08:08.355443954 CET	445	50334	160.120.91.1	192.168.2.6
Jan 15, 2025 19:08:08.355596066 CET	50334	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:08.355699062 CET	50334	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:08.355699062 CET	50334	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:08.360574961 CET	445	50334	160.120.91.1	192.168.2.6
Jan 15, 2025 19:08:08.360604048 CET	445	50334	160.120.91.1	192.168.2.6
Jan 15, 2025 19:08:08.638201952 CET	50443	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:08.643279076 CET	445	50443	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:08.643394947 CET	50443	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:08.643471003 CET	50443	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:08.648376942 CET	445	50443	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:08.777215958 CET	445	50297	15.8.58.1	192.168.2.6
Jan 15, 2025 19:08:08.777421951 CET	50297	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:08:08.777565956 CET	50297	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:08:08.777611971 CET	50297	445	192.168.2.6	15.8.58.1
Jan 15, 2025 19:08:08.782407045 CET	445	50297	15.8.58.1	192.168.2.6
Jan 15, 2025 19:08:08.782421112 CET	445	50297	15.8.58.1	192.168.2.6
Jan 15, 2025 19:08:08.841924906 CET	50450	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.846961975 CET	445	50450	15.8.58.2	192.168.2.6
Jan 15, 2025 19:08:08.847057104 CET	50450	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.847094059 CET	50450	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.847471952 CET	50452	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.852106094 CET	445	50450	15.8.58.2	192.168.2.6
Jan 15, 2025 19:08:08.852180004 CET	50450	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.852279902 CET	445	50452	15.8.58.2	192.168.2.6
Jan 15, 2025 19:08:08.852355003 CET	50452	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.852391005 CET	50452	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:08.857168913 CET	445	50452	15.8.58.2	192.168.2.6
Jan 15, 2025 19:08:09.450618029 CET	50466	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:09.455578089 CET	445	50466	56.85.51.1	192.168.2.6
Jan 15, 2025 19:08:09.455647945 CET	50466	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:09.455677032 CET	50466	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:09.460467100 CET	445	50466	56.85.51.1	192.168.2.6
Jan 15, 2025 19:08:09.808418989 CET	445	50306	117.41.142.1	192.168.2.6
Jan 15, 2025 19:08:09.808522940 CET	50306	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:08:09.808573008 CET	50306	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:08:09.808593988 CET	50306	445	192.168.2.6	117.41.142.1
Jan 15, 2025 19:08:09.813399076 CET	445	50306	117.41.142.1	192.168.2.6
Jan 15, 2025 19:08:09.813410044 CET	445	50306	117.41.142.1	192.168.2.6
Jan 15, 2025 19:08:10.174705982 CET	445	50443	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:10.174808979 CET	50443	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:10.174808979 CET	50443	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:10.175046921 CET	50443	445	192.168.2.6	209.63.158.1
Jan 15, 2025 19:08:10.179807901 CET	445	50443	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:10.179907084 CET	445	50443	209.63.158.1	192.168.2.6
Jan 15, 2025 19:08:10.231942892 CET	50487	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.237040997 CET	445	50487	209.63.158.2	192.168.2.6
Jan 15, 2025 19:08:10.237124920 CET	50487	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.237253904 CET	50487	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.237612009 CET	50488	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.242223024 CET	445	50487	209.63.158.2	192.168.2.6
Jan 15, 2025 19:08:10.242288113 CET	50487	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.242485046 CET	445	50488	209.63.158.2	192.168.2.6
Jan 15, 2025 19:08:10.242547989 CET	50488	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.242633104 CET	50488	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:10.247802019 CET	445	50488	209.63.158.2	192.168.2.6
Jan 15, 2025 19:08:10.808722019 CET	445	50315	100.85.225.1	192.168.2.6
Jan 15, 2025 19:08:10.809089899 CET	50315	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:08:10.809223890 CET	50315	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:08:10.809223890 CET	50315	445	192.168.2.6	100.85.225.1
Jan 15, 2025 19:08:10.814132929 CET	445	50315	100.85.225.1	192.168.2.6
Jan 15, 2025 19:08:10.814165115 CET	445	50315	100.85.225.1	192.168.2.6
Jan 15, 2025 19:08:10.872859955 CET	50511	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.877914906 CET	445	50511	100.85.225.2	192.168.2.6
Jan 15, 2025 19:08:10.878009081 CET	50511	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.878057957 CET	50511	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.878467083 CET	50512	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.883223057 CET	445	50511	100.85.225.2	192.168.2.6
Jan 15, 2025 19:08:10.883306980 CET	50511	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.883454084 CET	445	50512	100.85.225.2	192.168.2.6
Jan 15, 2025 19:08:10.883519888 CET	50512	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.883565903 CET	50512	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:10.888441086 CET	445	50512	100.85.225.2	192.168.2.6
Jan 15, 2025 19:08:11.153846979 CET	50526	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:11.158793926 CET	445	50526	200.198.81.1	192.168.2.6
Jan 15, 2025 19:08:11.158971071 CET	50526	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:11.159008980 CET	50526	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:11.163798094 CET	445	50526	200.198.81.1	192.168.2.6
Jan 15, 2025 19:08:11.340625048 CET	445	50320	74.226.207.1	192.168.2.6
Jan 15, 2025 19:08:11.340728998 CET	50320	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:08:11.340766907 CET	50320	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:08:11.340811014 CET	50320	445	192.168.2.6	74.226.207.1
Jan 15, 2025 19:08:11.345710993 CET	445	50320	74.226.207.1	192.168.2.6
Jan 15, 2025 19:08:11.345746994 CET	445	50320	74.226.207.1	192.168.2.6
Jan 15, 2025 19:08:11.356964111 CET	50537	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:11.361876965 CET	445	50537	160.120.91.1	192.168.2.6
Jan 15, 2025 19:08:11.361994028 CET	50537	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:11.362013102 CET	50537	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:11.366800070 CET	445	50537	160.120.91.1	192.168.2.6
Jan 15, 2025 19:08:12.761574984 CET	445	50327	149.241.237.1	192.168.2.6
Jan 15, 2025 19:08:12.761639118 CET	50327	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:08:13.941730022 CET	50340	445	192.168.2.6	7.138.150.1
Jan 15, 2025 19:08:13.941770077 CET	50488	445	192.168.2.6	209.63.158.2
Jan 15, 2025 19:08:13.941839933 CET	50331	445	192.168.2.6	32.52.139.1
Jan 15, 2025 19:08:13.941868067 CET	50330	445	192.168.2.6	7.192.148.1
Jan 15, 2025 19:08:13.941912889 CET	50379	445	192.168.2.6	153.143.158.1
Jan 15, 2025 19:08:13.941937923 CET	50537	445	192.168.2.6	160.120.91.1
Jan 15, 2025 19:08:13.941968918 CET	50348	445	192.168.2.6	104.205.84.2
Jan 15, 2025 19:08:13.942074060 CET	50351	445	192.168.2.6	23.94.219.1
Jan 15, 2025 19:08:13.942081928 CET	50327	445	192.168.2.6	149.241.237.1
Jan 15, 2025 19:08:13.942087889 CET	50338	445	192.168.2.6	49.114.69.2
Jan 15, 2025 19:08:13.942111969 CET	50339	445	192.168.2.6	203.223.187.1
Jan 15, 2025 19:08:13.942137003 CET	50345	445	192.168.2.6	158.87.244.2
Jan 15, 2025 19:08:13.942159891 CET	50347	445	192.168.2.6	54.192.5.1
Jan 15, 2025 19:08:13.942228079 CET	50354	445	192.168.2.6	118.54.82.1
Jan 15, 2025 19:08:13.942255974 CET	50357	445	192.168.2.6	75.228.122.2
Jan 15, 2025 19:08:13.942291975 CET	50361	445	192.168.2.6	53.194.27.1
Jan 15, 2025 19:08:13.942315102 CET	50364	445	192.168.2.6	186.162.98.1
Jan 15, 2025 19:08:13.942327023 CET	50367	445	192.168.2.6	216.15.111.1
Jan 15, 2025 19:08:13.942357063 CET	50369	445	192.168.2.6	173.218.135.2
Jan 15, 2025 19:08:13.942372084 CET	50371	445	192.168.2.6	117.29.223.1
Jan 15, 2025 19:08:13.942409992 CET	50376	445	192.168.2.6	203.128.199.2
Jan 15, 2025 19:08:13.942421913 CET	50390	445	192.168.2.6	138.181.159.2
Jan 15, 2025 19:08:13.942451000 CET	50406	445	192.168.2.6	126.115.83.2
Jan 15, 2025 19:08:13.942476988 CET	50397	445	192.168.2.6	63.35.17.1
Jan 15, 2025 19:08:13.942511082 CET	50415	445	192.168.2.6	74.134.76.2
Jan 15, 2025 19:08:13.942521095 CET	50425	445	192.168.2.6	60.208.232.1
Jan 15, 2025 19:08:13.942559958 CET	50452	445	192.168.2.6	15.8.58.2
Jan 15, 2025 19:08:13.942605972 CET	50466	445	192.168.2.6	56.85.51.1
Jan 15, 2025 19:08:13.942732096 CET	50512	445	192.168.2.6	100.85.225.2
Jan 15, 2025 19:08:13.942821980 CET	50526	445	192.168.2.6	200.198.81.1
Jan 15, 2025 19:08:36.045248985 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.045325994 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:36.045442104 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.046173096 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.046189070 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:36.874906063 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:36.875030041 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.881354094 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.881405115 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:36.881630898 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:36.883933067 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.884007931 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.884021044 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:36.884164095 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:36.931338072 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:37.059964895 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:37.060039043 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:37.060250044 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:37.060817957 CET	50635	443	192.168.2.6	40.115.3.253
Jan 15, 2025 19:08:37.060858965 CET	443	50635	40.115.3.253	192.168.2.6
Jan 15, 2025 19:08:38.403872967 CET	49703	443	192.168.2.6	40.126.31.71
Jan 15, 2025 19:08:38.404001951 CET	49704	80	192.168.2.6	199.232.214.172
Jan 15, 2025 19:08:38.410449028 CET	443	49703	40.126.31.71	192.168.2.6
Jan 15, 2025 19:08:38.410465956 CET	80	49704	199.232.214.172	192.168.2.6
Jan 15, 2025 19:08:38.410501957 CET	49703	443	192.168.2.6	40.126.31.71
Jan 15, 2025 19:08:38.410545111 CET	49704	80	192.168.2.6	199.232.214.172
Jan 15, 2025 19:08:40.700705051 CET	49707	443	192.168.2.6	40.126.31.71
Jan 15, 2025 19:08:40.706965923 CET	443	49707	40.126.31.71	192.168.2.6
Jan 15, 2025 19:08:40.707125902 CET	49707	443	192.168.2.6	40.126.31.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 19:07:05.916752100 CET	54126	53	192.168.2.6	1.1.1.1
Jan 15, 2025 19:07:06.222209930 CET	53	54126	1.1.1.1	192.168.2.6
Jan 15, 2025 19:07:06.852595091 CET	54349	53	192.168.2.6	1.1.1.1
Jan 15, 2025 19:07:07.183099985 CET	53	54349	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 19:07:05.916752100 CET	192.168.2.6	1.1.1.1	0x47b4	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:07:06.852595091 CET	192.168.2.6	1.1.1.1	0x79ba	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 19:07:06.222209930 CET	1.1.1.1	192.168.2.6	0x47b4	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:07:07.183099985 CET	1.1.1.1	192.168.2.6	0x79ba	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 19:07:07.183099985 CET	1.1.1.1	192.168.2.6	0x79ba	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	103.224.212.215	80	4800	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:07:06.233762980 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 19:07:06.827258110 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 18:07:06 GMT server: Apache set-cookie: __tad=1736964426.6027517; expires=Sat, 13-Jan-2035 18:07:06 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-06c2-ab55-018cebe831fb content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	199.59.243.228	80	4800	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:07:07.190315008 CET	169	OUT	GET /?subid1=20250116-0507-06c2-ab55-018cebe831fb HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 19:07:07.663979053 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 18:07:07 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 667eccaa-c04f-4d79-96f2-58e7887f231d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xm8eVMwpBdKZLe38vkVy+wg5jP0gveriH4XsHT2TcQAfyyaGPtUyo4sdW1g6tuqoAhg2qsa0CLxpo8JgwTl64Q== set-cookie: parking_session=667eccaa-c04f-4d79-96f2-58e7887f231d; expires=Wed, 15 Jan 2025 18:22:07 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 78 6d 38 65 56 4d 77 70 42 64 4b 5a 4c 65 33 38 76 6b 56 79 2b 77 67 35 6a 50 30 67 76 65 72 69 48 34 58 73 48 54 32 54 63 51 41 66 79 79 61 47 50 74 55 79 6f 34 73 64 57 31 67 36 74 75 71 6f 41 68 67 32 71 73 61 30 43 4c 78 70 6f 38 4a 67 77 54 6c 36 34 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xm8eVMwpBdKZLe38vkVy+wg5jP0gveriH4XsHT2TcQAfyyaGPtUyo4sdW1g6tuqoAhg2qsa0CLxpo8JgwTl64Q==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 19:07:07.664011002 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjY3ZWNjYWEtYzA0Zi00ZDc5LTk2ZjItNThlNzg4N2YyMzFkIiwicGFnZV90aW1lIjoxNzM2OTY0NDI3LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49712	103.224.212.215	80	3748	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:07:07.805841923 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 19:07:08.395829916 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 18:07:08 GMT server: Apache set-cookie: __tad=1736964428.6005750; expires=Sat, 13-Jan-2035 18:07:08 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-08af-9581-038eeaa6c39e content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49713	103.224.212.215	80	3816	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:07:08.072580099 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736964426.6027517
Jan 15, 2025 19:07:08.710063934 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 18:07:08 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0507-0847-82be-09ad5d5cb439 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49714	199.59.243.228	80	3748	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:07:08.405775070 CET	169	OUT	GET /?subid1=20250116-0507-08af-9581-038eeaa6c39e HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 19:07:08.871181965 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 18:07:08 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 491776b3-8083-4b0a-9c34-4dd1d3f72373 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kQdeWsPNsJCFxVy984sNjITWEIKq4EnFNQUjcGfwcRntEVWzBup/sJ2ivdv82QOB9ijK5OmQpQU0Y+RwmTMLWQ== set-cookie: parking_session=491776b3-8083-4b0a-9c34-4dd1d3f72373; expires=Wed, 15 Jan 2025 18:22:08 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 51 64 65 57 73 50 4e 73 4a 43 46 78 56 79 39 38 34 73 4e 6a 49 54 57 45 49 4b 71 34 45 6e 46 4e 51 55 6a 63 47 66 77 63 52 6e 74 45 56 57 7a 42 75 70 2f 73 4a 32 69 76 64 76 38 32 51 4f 42 39 69 6a 4b 35 4f 6d 51 70 51 55 30 59 2b 52 77 6d 54 4d 4c 57 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kQdeWsPNsJCFxVy984sNjITWEIKq4EnFNQUjcGfwcRntEVWzBup/sJ2ivdv82QOB9ijK5OmQpQU0Y+RwmTMLWQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 19:07:08.871243954 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDkxNzc2YjMtODA4My00YjBhLTljMzQtNGRkMWQzZjcyMzczIiwicGFnZV90aW1lIjoxNzM2OTY0NDI4LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49716	199.59.243.228	80	3816	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:07:08.720845938 CET	231	OUT	GET /?subid1=20250116-0507-0847-82be-09ad5d5cb439 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=667eccaa-c04f-4d79-96f2-58e7887f231d
Jan 15, 2025 19:07:09.213135958 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 18:07:09 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 746a1603-5762-4e2f-9adc-217287677af4 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lrm99a85YdGeGsahbniGQO39W7jIyz65LunvwYkUR0Sb7OPbYnylve1EkHb/GY8rMHzTr36YNfBr3Wbvc3t3tQ== set-cookie: parking_session=667eccaa-c04f-4d79-96f2-58e7887f231d; expires=Wed, 15 Jan 2025 18:22:09 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6c 72 6d 39 39 61 38 35 59 64 47 65 47 73 61 68 62 6e 69 47 51 4f 33 39 57 37 6a 49 79 7a 36 35 4c 75 6e 76 77 59 6b 55 52 30 53 62 37 4f 50 62 59 6e 79 6c 76 65 31 45 6b 48 62 2f 47 59 38 72 4d 48 7a 54 72 33 36 59 4e 66 42 72 33 57 62 76 63 33 74 33 74 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lrm99a85YdGeGsahbniGQO39W7jIyz65LunvwYkUR0Sb7OPbYnylve1EkHb/GY8rMHzTr36YNfBr3Wbvc3t3tQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 19:07:09.213175058 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjY3ZWNjYWEtYzA0Zi00ZDc5LTk2ZjItNThlNzg4N2YyMzFkIiwicGFnZV90aW1lIjoxNzM2OTY0NDI5LCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 18:07:06 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 69 61 50 38 75 4f 49 6b 42 30 61 7a 33 46 30 48 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 34 39 38 38 31 63 31 64 62 66 62 66 62 39 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: iaP8uOIkB0az3F0H.1Context: f49881c1dbfbfb99
2025-01-15 18:07:06 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 18:07:06 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 69 61 50 38 75 4f 49 6b 42 30 61 7a 33 46 30 48 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 34 39 38 38 31 63 31 64 62 66 62 66 62 39 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: iaP8uOIkB0az3F0H.2Context: f49881c1dbfbfb99<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-15 18:07:06 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 69 61 50 38 75 4f 49 6b 42 30 61 7a 33 46 30 48 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 34 39 38 38 31 63 31 64 62 66 62 66 62 39 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: iaP8uOIkB0az3F0H.3Context: f49881c1dbfbfb99<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 18:07:06 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 18:07:06 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 64 53 4c 58 53 54 77 52 73 45 79 61 71 4b 63 5a 74 65 45 31 63 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: dSLXSTwRsEyaqKcZteE1cg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49795	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 18:07:13 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 79 37 59 32 45 68 72 54 59 55 71 6a 43 45 67 2b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 64 63 32 65 35 61 39 31 36 66 64 33 31 66 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: y7Y2EhrTYUqjCEg+.1Context: 6dc2e5a916fd31f5
2025-01-15 18:07:13 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 18:07:13 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 79 37 59 32 45 68 72 54 59 55 71 6a 43 45 67 2b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 64 63 32 65 35 61 39 31 36 66 64 33 31 66 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: y7Y2EhrTYUqjCEg+.2Context: 6dc2e5a916fd31f5<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-15 18:07:13 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 79 37 59 32 45 68 72 54 59 55 71 6a 43 45 67 2b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 64 63 32 65 35 61 39 31 36 66 64 33 31 66 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: y7Y2EhrTYUqjCEg+.3Context: 6dc2e5a916fd31f5<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 18:07:14 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 18:07:14 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 39 37 70 6d 35 76 51 54 56 45 47 71 47 78 72 2b 61 38 46 4e 6c 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 97pm5vQTVEGqGxr+a8FNlw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	50018	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 18:07:25 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6a 4e 72 74 75 4d 75 54 4e 30 2b 67 50 76 54 56 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 32 36 61 37 65 61 61 35 38 38 65 31 66 33 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: jNrtuMuTN0+gPvTV.1Context: e26a7eaa588e1f39
2025-01-15 18:07:25 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 18:07:25 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6a 4e 72 74 75 4d 75 54 4e 30 2b 67 50 76 54 56 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 32 36 61 37 65 61 61 35 38 38 65 31 66 33 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: jNrtuMuTN0+gPvTV.2Context: e26a7eaa588e1f39<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-15 18:07:25 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6a 4e 72 74 75 4d 75 54 4e 30 2b 67 50 76 54 56 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 32 36 61 37 65 61 61 35 38 38 65 31 66 33 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: jNrtuMuTN0+gPvTV.3Context: e26a7eaa588e1f39<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 18:07:26 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 18:07:26 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 54 6d 6f 2f 53 44 74 34 56 55 61 41 4a 39 41 75 2b 31 38 32 69 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Tmo/SDt4VUaAJ9Au+182iw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50264	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 18:07:44 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 7a 48 7a 57 6f 4d 46 71 50 55 47 46 37 39 74 37 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 63 35 36 65 64 63 66 66 66 36 37 65 36 32 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: zHzWoMFqPUGF79t7.1Context: ec56edcfff67e62b
2025-01-15 18:07:44 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 18:07:44 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 7a 48 7a 57 6f 4d 46 71 50 55 47 46 37 39 74 37 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 63 35 36 65 64 63 66 66 66 36 37 65 36 32 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: zHzWoMFqPUGF79t7.2Context: ec56edcfff67e62b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-15 18:07:44 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 7a 48 7a 57 6f 4d 46 71 50 55 47 46 37 39 74 37 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 63 35 36 65 64 63 66 66 66 36 37 65 36 32 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: zHzWoMFqPUGF79t7.3Context: ec56edcfff67e62b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 18:07:44 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 18:07:44 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 74 78 50 48 49 31 30 52 34 30 32 2b 46 33 6b 78 66 65 2f 70 45 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: txPHI10R402+F3kxfe/pEA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50404	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 18:08:06 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 33 4f 34 59 33 49 73 68 75 6b 6d 4b 37 4b 2b 58 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 66 35 64 66 34 34 34 66 65 37 63 30 36 63 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 3O4Y3IshukmK7K+X.1Context: ff5df444fe7c06c1
2025-01-15 18:08:06 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 18:08:06 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 33 4f 34 59 33 49 73 68 75 6b 6d 4b 37 4b 2b 58 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 66 35 64 66 34 34 34 66 65 37 63 30 36 63 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 3O4Y3IshukmK7K+X.2Context: ff5df444fe7c06c1<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-15 18:08:06 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 33 4f 34 59 33 49 73 68 75 6b 6d 4b 37 4b 2b 58 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 66 35 64 66 34 34 34 66 65 37 63 30 36 63 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 3O4Y3IshukmK7K+X.3Context: ff5df444fe7c06c1<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 18:08:07 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 18:08:07 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 41 77 45 32 72 4f 7a 34 39 6b 79 50 70 36 33 6d 73 44 76 6a 4d 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: AwE2rOz49kyPp63msDvjMQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50635	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 18:08:36 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4f 52 78 45 34 6e 41 4c 39 55 2b 48 44 5a 33 76 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 34 65 33 31 62 33 37 33 62 61 39 35 38 65 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: ORxE4nAL9U+HDZ3v.1Context: d4e31b373ba958e9
2025-01-15 18:08:36 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 18:08:36 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4f 52 78 45 34 6e 41 4c 39 55 2b 48 44 5a 33 76 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 34 65 33 31 62 33 37 33 62 61 39 35 38 65 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 45 2b 7a 48 4d 6e 30 63 46 79 47 75 30 6f 35 62 69 7a 4b 42 31 78 37 65 49 50 45 79 49 55 72 4f 48 6a 2f 53 53 7a 71 78 30 4d 77 34 2b 7a 57 77 46 57 55 43 41 50 32 55 76 67 4d 31 55 4d 51 35 2f 4d 67 67 52 6f 78 77 72 74 57 4b 45 55 79 79 4e 6c 6a 6b 62 4f 4e 37 4f 4f 5a 47 4f 2b 4b 2f 58 2b 6a 34 39 4e 39 74 58 39 78 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: ORxE4nAL9U+HDZ3v.2Context: d4e31b373ba958e9<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARE+zHMn0cFyGu0o5bizKB1x7eIPEyIUrOHj/SSzqx0Mw4+zWwFWUCAP2UvgM1UMQ5/MggRoxwrtWKEUyyNljkbON7OOZGO+K/X+j49N9tX9xU
2025-01-15 18:08:36 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4f 52 78 45 34 6e 41 4c 39 55 2b 48 44 5a 33 76 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 34 65 33 31 62 33 37 33 62 61 39 35 38 65 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: ORxE4nAL9U+HDZ3v.3Context: d4e31b373ba958e9<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 18:08:37 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 18:08:37 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 76 69 57 62 4b 34 76 34 55 6b 79 63 6c 30 75 67 68 6d 75 55 48 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: viWbK4v4Ukycl0ughmuUHA.0Payload parsing failed.

Target ID:	0
Start time:	13:07:03
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll"
Imagebase:	0x9b0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:07:03
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:07:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:07:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\QQE81XYXon.dll,PlayGame
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:07:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",#1
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:07:03
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	6BFA175E3CBD626EF26394826EDB0FDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2152520017.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2152654639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:07:06
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	6BFA175E3CBD626EF26394826EDB0FDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2179028546.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2179157814.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2827299654.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2827534382.0000000002286000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:07:06
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\QQE81XYXon.dll",PlayGame
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:07:06
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	6BFA175E3CBD626EF26394826EDB0FDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2196270495.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2180935665.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2181333198.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.2196435843.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FA10EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000006.00000002.2194999882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2194970989.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195017472.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195088572.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2194999882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2194970989.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195017472.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195088572.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2194999882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2194970989.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195017472.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195088572.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FA10EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.2194999882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2194970989.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195017472.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195088572.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6FA10EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2194999882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2194970989.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195017472.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195034064.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195088572.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2195185959.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 3748, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6FA10EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2826560707.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2826547496.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826574459.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826632436.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826645281.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2826560707.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2826547496.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826574459.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826632436.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826645281.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FA10EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000008.00000002.2826560707.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2826547496.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826574459.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826632436.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826645281.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FA10EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CloseHandle, xrefs: 00407D29
WINDOWS, xrefs: 00407DF2, 00407E0D
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000008.00000002.2826560707.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2826547496.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826574459.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826632436.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826645281.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2826560707.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2826547496.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826574459.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826587169.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826619503.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826632436.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826645281.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2826719337.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QQE81XYXon.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
QQE81XYXon.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON