Edit tour

Windows Analysis Report
sUlHfYQxNw.dll

Overview

General Information

Sample name:	sUlHfYQxNw.dll renamed because original name is a hash value
Original sample name:	68165b3d89166ec828062f5c356e0e1b.dll
Analysis ID:	1591279
MD5:	68165b3d89166ec828062f5c356e0e1b
SHA1:	208485739bbab56c7998f952c3d742527cfdeeb7
SHA256:	22085c67126368a27c68cb62a147c0895f3e4d76d30c704952dcd356cf68b53f
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7676 cmdline: loaddll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7728 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7752 cmdline: rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7816 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B01DB44786F461C9415813F968A7664A)

rundll32.exe (PID: 7736 cmdline: rundll32.exe C:\Users\user\Desktop\sUlHfYQxNw.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7960 cmdline: rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7976 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B01DB44786F461C9415813F968A7664A)

mssecsvr.exe (PID: 7920 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: B01DB44786F461C9415813F968A7664A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sUlHfYQxNw.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
sUlHfYQxNw.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1356648127.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2032119796.00000000024E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1385339292.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2031833962.0000000001FB8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1400701115.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1379865895.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7816	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7920	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7976	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.24da8c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1fa9084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.24e9948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.24e9948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.24e9948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1fb8104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1fb8104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1fb8104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1fa9084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1fa9084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x284bb0:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x284b88:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x24f254:$s1: C:\%s\%s 0x26ab7c:$s1: C:\%s\%s 0x284b9c:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x281ed0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x26f2c5:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x25c975:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x2570ba:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x254c29:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1fa9084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.24da8c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.24da8c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.24da8c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1fb8104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1fb8104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1fb40a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1fb40a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.24e58e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.24e58e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.24e9948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.24e9948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
Click to see the 35 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:06:32.939526+0100	2803304	3	Unknown Traffic	192.168.2.9	49742	103.224.212.215	80	TCP
2025-01-14T21:06:34.454699+0100	2803304	3	Unknown Traffic	192.168.2.9	49754	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:06:31.993258+0100	2830018	1	A Network Trojan was detected	192.168.2.9	58034	1.1.1.1	53	UDP

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03

Source: sUlHfYQxNw.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sUlHfYQxNw.dll,PlayGame

Source: sUlHfYQxNw.dll	ReversingLabs: Detection: 92%
Source: sUlHfYQxNw.dll	Virustotal: Detection: 94%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sUlHfYQxNw.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sUlHfYQxNw.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: sUlHfYQxNw.dll

Static file information: File size 5267459 > 1048576

Source: sUlHfYQxNw.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 6.811395527809462

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 8048	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 8048	Thread sleep time: -196000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 8052	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 8052	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 8048	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ^
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: mssecsvr.exe, 00000006.00000002.1396004769.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1396004769.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2031364988.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1401202588.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000006.00000002.1396004769.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0V

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sUlHfYQxNw.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
sUlHfYQxNw.dll	95%	Virustotal		Browse
sUlHfYQxNw.dll	100%	Avira	TR/Ransom.Gen
sUlHfYQxNw.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	65%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\tasksche.exe	65%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a01	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e6972f	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comQ	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c837	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c83701	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e697	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a01	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c83701	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e6972f	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L	mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e697	mssecsvr.exe, 0000000A.00000002.1401202588.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	sUlHfYQxNw.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a	mssecsvr.exe, 00000006.00000002.1396004769.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/b	mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comQ	mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/#	mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c837	mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2030892381.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/R	mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r	mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B	mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
16.10.57.2	unknown	United States	unknown	unknown	false
16.10.57.1	unknown	United States	unknown	unknown	false
51.159.121.244	unknown	France	12876	OnlineSASFR	false
15.212.96.173	unknown	United States	71	HP-INTERNET-ASUS	false
103.42.206.1	unknown	India	134307	CLASSIC-JOISTER-ASClassicnetBroadbandNetworkIN	false
15.212.96.2	unknown	United States	71	HP-INTERNET-ASUS	false
15.212.96.1	unknown	United States	71	HP-INTERNET-ASUS	false
132.227.104.105	unknown	France	1307	FR-U-JUSSIEU-PARISEU	false
62.129.107.104	unknown	United Kingdom	8309	SIPARTECHFR	false
116.209.81.2	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
116.209.81.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
71.110.186.84	unknown	United States	5650	FRONTIER-FRTRUS	false
71.110.186.1	unknown	United States	5650	FRONTIER-FRTRUS	false
186.17.232.1	unknown	Paraguay	23201	TelecelSAPY	false
223.92.131.20	unknown	China	56041	CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC	false
138.57.247.2	unknown	United States	2611	BELNETBE	false
138.57.247.1	unknown	United States	2611	BELNETBE	false
136.127.160.1	unknown	United States	15169	GOOGLEUS	false
34.81.201.226	unknown	United States	15169	GOOGLEUS	false
3.157.171.223	unknown	United States	16509	AMAZON-02US	false
126.245.156.111	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
178.11.150.1	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
50.121.163.1	unknown	United States	5650	FRONTIER-FRTRUS	false
199.83.239.1	unknown	United States	32458	INDCONETUS	false
199.83.239.2	unknown	United States	32458	INDCONETUS	false
63.166.202.107	unknown	United States	1239	SPRINTLINKUS	false
3.157.171.2	unknown	United States	16509	AMAZON-02US	false
3.157.171.1	unknown	United States	16509	AMAZON-02US	false
150.135.181.70	unknown	United States	1706	UNIV-ARIZUS	false
144.69.237.2	unknown	United States	36351	SOFTLAYERUS	false
51.159.121.1	unknown	France	12876	OnlineSASFR	false
144.69.237.1	unknown	United States	36351	SOFTLAYERUS	false
103.42.206.197	unknown	India	134307	CLASSIC-JOISTER-ASClassicnetBroadbandNetworkIN	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591279
Start date and time:	2025-01-14 21:05:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sUlHfYQxNw.dll renamed because original name is a hash value
Original Sample Name:	68165b3d89166ec828062f5c356e0e1b.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.17.190.73, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:06:33	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:07:08	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	logitix.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	EFT_Payment_Notification_Gheenirrigation.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	MissedCall_Record_3295935663.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	62.122.184.98 (2).ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	87.247.158.212.ps1	Get hash	malicious	LummaC	Browse	13.107.246.45
	ithDgrzsHr.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
77026.bodis.com	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	103.224.212.215
	lJt3mQqCQl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	xIwkOnjSIa.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	IU28r0EZFA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	ViNIRfmQmE.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HP-INTERNET-ASUS	https://4efd-190-162-38-36.ngrok-free.app/c4362ded87174b295ab48d90984741d52be4c31e.pdf	Get hash	malicious	Unknown	Browse	15.156.138.222
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWX	Get hash	malicious	Unknown	Browse	15.156.12.46
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	15.244.156.229
	miori.x86.elf	Get hash	malicious	Unknown	Browse	15.252.68.111
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	15.136.34.126
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	15.204.189.240
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	156.153.204.166
	armv6l.elf	Get hash	malicious	Unknown	Browse	16.143.138.218
	DF2.exe	Get hash	malicious	Unknown	Browse	15.204.11.249
	vcimanagement.armv5l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.152.214.245
HP-INTERNET-ASUS	https://4efd-190-162-38-36.ngrok-free.app/c4362ded87174b295ab48d90984741d52be4c31e.pdf	Get hash	malicious	Unknown	Browse	15.156.138.222
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWX	Get hash	malicious	Unknown	Browse	15.156.12.46
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	15.244.156.229
	miori.x86.elf	Get hash	malicious	Unknown	Browse	15.252.68.111
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	15.136.34.126
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	15.204.189.240
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	156.153.204.166
	armv6l.elf	Get hash	malicious	Unknown	Browse	16.143.138.218
	DF2.exe	Get hash	malicious	Unknown	Browse	15.204.11.249
	vcimanagement.armv5l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.152.214.245
OnlineSASFR	TiOWA908TP.exe	Get hash	malicious	Unknown	Browse	51.159.14.89
	TiOWA908TP.exe	Get hash	malicious	Unknown	Browse	51.159.14.89
	TiOWA908TP.exe	Get hash	malicious	Unknown	Browse	51.159.14.89
	TiOWA908TP.exe	Get hash	malicious	Unknown	Browse	51.159.14.89
	TiOWA908TP.exe	Get hash	malicious	Unknown	Browse	51.159.14.89
	http://aeromorning.com	Get hash	malicious	Unknown	Browse	212.129.3.113
	12E56QE1Fc.exe	Get hash	malicious	Azorult	Browse	51.15.142.235
	4.elf	Get hash	malicious	Unknown	Browse	51.158.21.37
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	212.129.5.22
	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	163.172.240.109

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	23.206.229.209
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	23.206.229.209
	http://titanys.mindsetmatters.buzz	Get hash	malicious	ScreenConnect Tool	Browse	23.206.229.209
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	23.206.229.209
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.206.229.209
	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	23.206.229.209
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://bccab.dynartis.it/TI_loc.csv	Get hash	malicious	Unknown	Browse	23.206.229.209

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	6.646184840465622
Encrypted:	false
SSDEEP:	24576:tiBclNmD8kIqRYoAdNLKz6626M+vbOSSqTPVXmiHkQg6eX6SASk+RdhAdmvm:N21INRx+TSqTdX1HkQo6SAARdhnvm
MD5:	C1F591A38185090B5A668B926DEA47CF
SHA1:	C6C6521F772E046BDEDC319A2198D452871D441C
SHA-256:	7FB287D17B7F1A87EB97F1DF23BAB6B9950BD28B4E9FA17C300F590543F8A329
SHA-512:	1B8A020BC170D3D11F677DDE442F4557272920911C8AB399CB0E535A2466AFC72E9C363601092678E3D1065F99D43CFC2BC3A200669F1D4479604454614134BA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	6.646184840465622
Encrypted:	false
SSDEEP:	24576:tiBclNmD8kIqRYoAdNLKz6626M+vbOSSqTPVXmiHkQg6eX6SASk+RdhAdmvm:N21INRx+TSqTdX1HkQo6SAARdhnvm
MD5:	C1F591A38185090B5A668B926DEA47CF
SHA1:	C6C6521F772E046BDEDC319A2198D452871D441C
SHA-256:	7FB287D17B7F1A87EB97F1DF23BAB6B9950BD28B4E9FA17C300F590543F8A329
SHA-512:	1B8A020BC170D3D11F677DDE442F4557272920911C8AB399CB0E535A2466AFC72E9C363601092678E3D1065F99D43CFC2BC3A200669F1D4479604454614134BA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.582594818250169
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sUlHfYQxNw.dll
File size:	5'267'459 bytes
MD5:	68165b3d89166ec828062f5c356e0e1b
SHA1:	208485739bbab56c7998f952c3d742527cfdeeb7
SHA256:	22085c67126368a27c68cb62a147c0895f3e4d76d30c704952dcd356cf68b53f
SHA512:	b04f5d2f10dacf178223c2a2eebe9ba626ba74a13a534131bb88df2c1f39fb75f4cc4554d9d8435595b53a77a1ca489873c0e2792b8e738a110a8d881788feb5
SSDEEP:	49152:nnH21INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEau3RCgHAD:nH21aRxcSUDk36SAEdhvxWa9P593R
TLSH:	80362346ED08D679D16A0A7045B30F2AB3A138EDC3A7285E935C5EE50DD37A337C2A1D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FDCD904B5BBh
cmp dword ptr [10003140h], 00000000h
jmp 00007FDCD904B5D8h
cmp esi, 01h
je 00007FDCD904B5B7h
cmp esi, 02h
jne 00007FDCD904B5D4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FDCD904B5BBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FDCD904B5BEh
push edi
push esi
push ebx
call 00007FDCD904B4CAh
test eax, eax
jne 00007FDCD904B5B6h
xor eax, eax
jmp 00007FDCD904B600h
push edi
push esi
push ebx
call 00007FDCD904B37Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FDCD904B5BEh
test eax, eax
jne 00007FDCD904B5E9h
push edi
push eax
push ebx
call 00007FDCD904B4A6h
test esi, esi
je 00007FDCD904B5B7h
cmp esi, 03h
jne 00007FDCD904B5D8h
push edi
push esi
push ebx
call 00007FDCD904B495h
test eax, eax
jne 00007FDCD904B5B5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FDCD904B5C3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FDCD904B5BAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	2834f3542e987c2fc907ff7445fb2e4a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.3548316955566406

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T21:06:31.993258+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.9	58034	1.1.1.1	53	UDP
2025-01-14T21:06:32.939526+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49742	103.224.212.215	80	TCP
2025-01-14T21:06:34.454699+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49754	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:06:24.740194082 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:06:24.787090063 CET	49676	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:25.427637100 CET	49675	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:25.646358967 CET	49674	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:27.146439075 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:06:31.958874941 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:06:32.315320969 CET	49742	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:32.320161104 CET	80	49742	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:32.320235968 CET	49742	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:32.322264910 CET	49742	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:32.327004910 CET	80	49742	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:32.939353943 CET	80	49742	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:32.939435005 CET	80	49742	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:32.939526081 CET	49742	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:32.947190046 CET	49742	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:32.952008963 CET	80	49742	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:33.132075071 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.136928082 CET	80	49748	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:33.136991024 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.138122082 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.142961025 CET	80	49748	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:33.161971092 CET	49673	443	192.168.2.9	204.79.197.203
Jan 14, 2025 21:06:33.599946022 CET	80	49748	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:33.599968910 CET	80	49748	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:33.600034952 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.600034952 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.605577946 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.605577946 CET	49748	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:33.825721979 CET	49754	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:33.830563068 CET	80	49754	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:33.830634117 CET	49754	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:33.830791950 CET	49754	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:33.835545063 CET	80	49754	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:34.454596996 CET	80	49754	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:34.454699039 CET	49754	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:34.454747915 CET	80	49754	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:34.454816103 CET	49754	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:34.536020041 CET	49754	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:34.540851116 CET	80	49754	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:34.578728914 CET	49760	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:34.582751989 CET	49761	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:34.584099054 CET	80	49760	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:34.584177971 CET	49760	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:34.584914923 CET	49760	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:34.588551998 CET	80	49761	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:34.588655949 CET	49761	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:34.588896036 CET	49761	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:34.590177059 CET	80	49760	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:34.594305038 CET	80	49761	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.037007093 CET	49675	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:35.044425011 CET	80	49761	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.044482946 CET	80	49761	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.044569969 CET	49761	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.075468063 CET	49761	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.075644016 CET	49761	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.170909882 CET	49766	445	192.168.2.9	3.157.171.223
Jan 14, 2025 21:06:35.175817013 CET	445	49766	3.157.171.223	192.168.2.9
Jan 14, 2025 21:06:35.176146984 CET	49766	445	192.168.2.9	3.157.171.223
Jan 14, 2025 21:06:35.176259995 CET	49766	445	192.168.2.9	3.157.171.223
Jan 14, 2025 21:06:35.178821087 CET	49767	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.181272984 CET	445	49766	3.157.171.223	192.168.2.9
Jan 14, 2025 21:06:35.181400061 CET	49766	445	192.168.2.9	3.157.171.223
Jan 14, 2025 21:06:35.183662891 CET	445	49767	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:35.183739901 CET	49767	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.183778048 CET	49767	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.187822104 CET	49768	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.188924074 CET	445	49767	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:35.189090967 CET	49767	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.192774057 CET	445	49768	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:35.192858934 CET	49768	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.192919016 CET	49768	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:35.193245888 CET	80	49760	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:35.193319082 CET	49760	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:35.193530083 CET	80	49760	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:35.193955898 CET	49760	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:35.195910931 CET	49760	80	192.168.2.9	103.224.212.215
Jan 14, 2025 21:06:35.197117090 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.197730064 CET	445	49768	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:35.200869083 CET	80	49760	103.224.212.215	192.168.2.9
Jan 14, 2025 21:06:35.202164888 CET	80	49769	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.202225924 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.204560995 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.209419966 CET	80	49769	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.255755901 CET	49674	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:35.670603037 CET	80	49769	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.670659065 CET	80	49769	199.59.243.228	192.168.2.9
Jan 14, 2025 21:06:35.670691013 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.670741081 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.690795898 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:35.690845966 CET	49769	80	192.168.2.9	199.59.243.228
Jan 14, 2025 21:06:36.966717005 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 21:06:36.966816902 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:37.166918039 CET	49803	445	192.168.2.9	116.209.81.210
Jan 14, 2025 21:06:37.171705008 CET	445	49803	116.209.81.210	192.168.2.9
Jan 14, 2025 21:06:37.172028065 CET	49803	445	192.168.2.9	116.209.81.210
Jan 14, 2025 21:06:37.172028065 CET	49803	445	192.168.2.9	116.209.81.210
Jan 14, 2025 21:06:37.172326088 CET	49804	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.177057028 CET	445	49804	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:37.177124977 CET	49804	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.177186012 CET	49804	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.177294970 CET	445	49803	116.209.81.210	192.168.2.9
Jan 14, 2025 21:06:37.177337885 CET	49803	445	192.168.2.9	116.209.81.210
Jan 14, 2025 21:06:37.178433895 CET	49805	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.182193041 CET	445	49804	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:37.182369947 CET	49804	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.183252096 CET	445	49805	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:37.183322906 CET	49805	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.183377981 CET	49805	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:37.188306093 CET	445	49805	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:39.179359913 CET	49842	445	192.168.2.9	15.212.96.173
Jan 14, 2025 21:06:39.184403896 CET	445	49842	15.212.96.173	192.168.2.9
Jan 14, 2025 21:06:39.184531927 CET	49842	445	192.168.2.9	15.212.96.173
Jan 14, 2025 21:06:39.184684992 CET	49842	445	192.168.2.9	15.212.96.173
Jan 14, 2025 21:06:39.185048103 CET	49843	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.189821959 CET	445	49842	15.212.96.173	192.168.2.9
Jan 14, 2025 21:06:39.189884901 CET	49842	445	192.168.2.9	15.212.96.173
Jan 14, 2025 21:06:39.190125942 CET	445	49843	15.212.96.1	192.168.2.9
Jan 14, 2025 21:06:39.190329075 CET	49843	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.190329075 CET	49843	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.191915989 CET	49845	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.195710897 CET	445	49843	15.212.96.1	192.168.2.9
Jan 14, 2025 21:06:39.195799112 CET	49843	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.197213888 CET	445	49845	15.212.96.1	192.168.2.9
Jan 14, 2025 21:06:39.197303057 CET	49845	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.197514057 CET	49845	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:06:39.202822924 CET	445	49845	15.212.96.1	192.168.2.9
Jan 14, 2025 21:06:41.195209026 CET	49881	445	192.168.2.9	126.245.156.111
Jan 14, 2025 21:06:41.200151920 CET	445	49881	126.245.156.111	192.168.2.9
Jan 14, 2025 21:06:41.200249910 CET	49881	445	192.168.2.9	126.245.156.111
Jan 14, 2025 21:06:41.200299978 CET	49881	445	192.168.2.9	126.245.156.111
Jan 14, 2025 21:06:41.200511932 CET	49882	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.205297947 CET	445	49882	126.245.156.1	192.168.2.9
Jan 14, 2025 21:06:41.205382109 CET	49882	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.205431938 CET	49882	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.206751108 CET	49883	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.208266973 CET	445	49881	126.245.156.111	192.168.2.9
Jan 14, 2025 21:06:41.211643934 CET	445	49883	126.245.156.1	192.168.2.9
Jan 14, 2025 21:06:41.211728096 CET	49883	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.211793900 CET	49883	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.212249041 CET	445	49882	126.245.156.1	192.168.2.9
Jan 14, 2025 21:06:41.216556072 CET	445	49883	126.245.156.1	192.168.2.9
Jan 14, 2025 21:06:41.224739075 CET	445	49881	126.245.156.111	192.168.2.9
Jan 14, 2025 21:06:41.224809885 CET	49881	445	192.168.2.9	126.245.156.111
Jan 14, 2025 21:06:41.225176096 CET	445	49882	126.245.156.1	192.168.2.9
Jan 14, 2025 21:06:41.225363016 CET	49882	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:06:41.568260908 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 21:06:43.211929083 CET	49915	445	192.168.2.9	138.57.247.187
Jan 14, 2025 21:06:43.216861963 CET	445	49915	138.57.247.187	192.168.2.9
Jan 14, 2025 21:06:43.217083931 CET	49915	445	192.168.2.9	138.57.247.187
Jan 14, 2025 21:06:43.217143059 CET	49915	445	192.168.2.9	138.57.247.187
Jan 14, 2025 21:06:43.217411041 CET	49916	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.222325087 CET	445	49916	138.57.247.1	192.168.2.9
Jan 14, 2025 21:06:43.222402096 CET	49916	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.222434998 CET	49916	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.223417044 CET	49917	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.224277020 CET	445	49915	138.57.247.187	192.168.2.9
Jan 14, 2025 21:06:43.228305101 CET	445	49917	138.57.247.1	192.168.2.9
Jan 14, 2025 21:06:43.228413105 CET	49917	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.228490114 CET	49917	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.231060982 CET	445	49915	138.57.247.187	192.168.2.9
Jan 14, 2025 21:06:43.231122017 CET	49915	445	192.168.2.9	138.57.247.187
Jan 14, 2025 21:06:43.231256962 CET	445	49916	138.57.247.1	192.168.2.9
Jan 14, 2025 21:06:43.231321096 CET	49916	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:06:43.233376980 CET	445	49917	138.57.247.1	192.168.2.9
Jan 14, 2025 21:06:45.226035118 CET	49953	445	192.168.2.9	144.69.237.198
Jan 14, 2025 21:06:45.230942965 CET	445	49953	144.69.237.198	192.168.2.9
Jan 14, 2025 21:06:45.231040001 CET	49953	445	192.168.2.9	144.69.237.198
Jan 14, 2025 21:06:45.231113911 CET	49953	445	192.168.2.9	144.69.237.198
Jan 14, 2025 21:06:45.231379032 CET	49954	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.236124992 CET	445	49953	144.69.237.198	192.168.2.9
Jan 14, 2025 21:06:45.236191034 CET	49953	445	192.168.2.9	144.69.237.198
Jan 14, 2025 21:06:45.236262083 CET	445	49954	144.69.237.1	192.168.2.9
Jan 14, 2025 21:06:45.236330032 CET	49954	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.236354113 CET	49954	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.237394094 CET	49955	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.241255045 CET	445	49954	144.69.237.1	192.168.2.9
Jan 14, 2025 21:06:45.241323948 CET	49954	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.242249012 CET	445	49955	144.69.237.1	192.168.2.9
Jan 14, 2025 21:06:45.242311001 CET	49955	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.242347956 CET	49955	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:06:45.247088909 CET	445	49955	144.69.237.1	192.168.2.9
Jan 14, 2025 21:06:47.078052044 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:47.078052044 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:47.078625917 CET	49986	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:47.078694105 CET	443	49986	23.206.229.209	192.168.2.9
Jan 14, 2025 21:06:47.079457045 CET	49986	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:47.079999924 CET	49986	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:47.080015898 CET	443	49986	23.206.229.209	192.168.2.9
Jan 14, 2025 21:06:47.083101988 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 21:06:47.083144903 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 21:06:47.240596056 CET	49991	445	192.168.2.9	34.81.201.226
Jan 14, 2025 21:06:47.245517015 CET	445	49991	34.81.201.226	192.168.2.9
Jan 14, 2025 21:06:47.245876074 CET	49991	445	192.168.2.9	34.81.201.226
Jan 14, 2025 21:06:47.245876074 CET	49991	445	192.168.2.9	34.81.201.226
Jan 14, 2025 21:06:47.245877981 CET	49992	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.250946045 CET	445	49992	34.81.201.1	192.168.2.9
Jan 14, 2025 21:06:47.251020908 CET	49992	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.251059055 CET	49992	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.251157045 CET	445	49991	34.81.201.226	192.168.2.9
Jan 14, 2025 21:06:47.251360893 CET	49993	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.251368999 CET	49991	445	192.168.2.9	34.81.201.226
Jan 14, 2025 21:06:47.255987883 CET	445	49992	34.81.201.1	192.168.2.9
Jan 14, 2025 21:06:47.256078005 CET	49992	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.256300926 CET	445	49993	34.81.201.1	192.168.2.9
Jan 14, 2025 21:06:47.256371975 CET	49993	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.256428957 CET	49993	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:06:47.261259079 CET	445	49993	34.81.201.1	192.168.2.9
Jan 14, 2025 21:06:47.731780052 CET	443	49986	23.206.229.209	192.168.2.9
Jan 14, 2025 21:06:47.731898069 CET	49986	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:06:49.256302118 CET	50025	445	192.168.2.9	199.83.239.113
Jan 14, 2025 21:06:49.261053085 CET	445	50025	199.83.239.113	192.168.2.9
Jan 14, 2025 21:06:49.261118889 CET	50025	445	192.168.2.9	199.83.239.113
Jan 14, 2025 21:06:49.261183023 CET	50025	445	192.168.2.9	199.83.239.113
Jan 14, 2025 21:06:49.261297941 CET	50026	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.266050100 CET	445	50026	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:49.266103029 CET	50026	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.266149044 CET	50026	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.266256094 CET	445	50025	199.83.239.113	192.168.2.9
Jan 14, 2025 21:06:49.266298056 CET	50025	445	192.168.2.9	199.83.239.113
Jan 14, 2025 21:06:49.266453981 CET	50027	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.271166086 CET	445	50026	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:49.271203041 CET	50026	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.271214008 CET	445	50027	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:49.271270037 CET	50027	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.271291018 CET	50027	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:49.276066065 CET	445	50027	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:50.939702034 CET	445	50027	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:50.939769983 CET	50027	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:50.939814091 CET	50027	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:50.939824104 CET	50027	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:50.944612026 CET	445	50027	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:50.944761992 CET	445	50027	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:51.272068977 CET	50062	445	192.168.2.9	16.10.57.179
Jan 14, 2025 21:06:51.276902914 CET	445	50062	16.10.57.179	192.168.2.9
Jan 14, 2025 21:06:51.276972055 CET	50062	445	192.168.2.9	16.10.57.179
Jan 14, 2025 21:06:51.277028084 CET	50062	445	192.168.2.9	16.10.57.179
Jan 14, 2025 21:06:51.277255058 CET	50063	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.282049894 CET	445	50063	16.10.57.1	192.168.2.9
Jan 14, 2025 21:06:51.282119989 CET	50063	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.282175064 CET	50063	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.282279015 CET	445	50062	16.10.57.179	192.168.2.9
Jan 14, 2025 21:06:51.282324076 CET	50062	445	192.168.2.9	16.10.57.179
Jan 14, 2025 21:06:51.282443047 CET	50064	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.287245989 CET	445	50064	16.10.57.1	192.168.2.9
Jan 14, 2025 21:06:51.287257910 CET	445	50063	16.10.57.1	192.168.2.9
Jan 14, 2025 21:06:51.287312984 CET	50063	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.287319899 CET	50064	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.287450075 CET	50064	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:06:51.292253017 CET	445	50064	16.10.57.1	192.168.2.9
Jan 14, 2025 21:06:53.287383080 CET	50099	445	192.168.2.9	68.234.13.186
Jan 14, 2025 21:06:53.292284966 CET	445	50099	68.234.13.186	192.168.2.9
Jan 14, 2025 21:06:53.292390108 CET	50099	445	192.168.2.9	68.234.13.186
Jan 14, 2025 21:06:53.292418003 CET	50099	445	192.168.2.9	68.234.13.186
Jan 14, 2025 21:06:53.292478085 CET	50100	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.297302008 CET	445	50100	68.234.13.1	192.168.2.9
Jan 14, 2025 21:06:53.297333956 CET	445	50099	68.234.13.186	192.168.2.9
Jan 14, 2025 21:06:53.297369003 CET	50100	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.297391891 CET	50099	445	192.168.2.9	68.234.13.186
Jan 14, 2025 21:06:53.297561884 CET	50100	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.297975063 CET	50101	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.302583933 CET	445	50100	68.234.13.1	192.168.2.9
Jan 14, 2025 21:06:53.302664042 CET	50100	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.302747011 CET	445	50101	68.234.13.1	192.168.2.9
Jan 14, 2025 21:06:53.302793980 CET	50101	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.302823067 CET	50101	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:06:53.307595015 CET	445	50101	68.234.13.1	192.168.2.9
Jan 14, 2025 21:06:53.943464994 CET	50114	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:53.948304892 CET	445	50114	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:53.948401928 CET	50114	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:53.948441029 CET	50114	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:53.953257084 CET	445	50114	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:55.303224087 CET	50137	445	192.168.2.9	77.120.13.118
Jan 14, 2025 21:06:55.308386087 CET	445	50137	77.120.13.118	192.168.2.9
Jan 14, 2025 21:06:55.308487892 CET	50137	445	192.168.2.9	77.120.13.118
Jan 14, 2025 21:06:55.308562994 CET	50137	445	192.168.2.9	77.120.13.118
Jan 14, 2025 21:06:55.308727026 CET	50138	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.313512087 CET	445	50137	77.120.13.118	192.168.2.9
Jan 14, 2025 21:06:55.313555002 CET	445	50138	77.120.13.1	192.168.2.9
Jan 14, 2025 21:06:55.313585043 CET	50137	445	192.168.2.9	77.120.13.118
Jan 14, 2025 21:06:55.313625097 CET	50138	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.313698053 CET	50138	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.313971043 CET	50139	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.318650007 CET	445	50138	77.120.13.1	192.168.2.9
Jan 14, 2025 21:06:55.318701982 CET	50138	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.318763018 CET	445	50139	77.120.13.1	192.168.2.9
Jan 14, 2025 21:06:55.318821907 CET	50139	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.318855047 CET	50139	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:06:55.323585033 CET	445	50139	77.120.13.1	192.168.2.9
Jan 14, 2025 21:06:55.456173897 CET	445	50114	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:55.456310987 CET	50114	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:55.456310987 CET	50114	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:55.456409931 CET	50114	445	192.168.2.9	199.83.239.1
Jan 14, 2025 21:06:55.462426901 CET	445	50114	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:55.462440014 CET	445	50114	199.83.239.1	192.168.2.9
Jan 14, 2025 21:06:55.521994114 CET	50144	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.526901960 CET	445	50144	199.83.239.2	192.168.2.9
Jan 14, 2025 21:06:55.526961088 CET	50144	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.527085066 CET	50144	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.527370930 CET	50145	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.531986952 CET	445	50144	199.83.239.2	192.168.2.9
Jan 14, 2025 21:06:55.532030106 CET	50144	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.532201052 CET	445	50145	199.83.239.2	192.168.2.9
Jan 14, 2025 21:06:55.532249928 CET	50145	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.532290936 CET	50145	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:06:55.536990881 CET	445	50145	199.83.239.2	192.168.2.9
Jan 14, 2025 21:06:56.602248907 CET	445	49768	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:56.602329969 CET	49768	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:56.602372885 CET	49768	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:56.602432013 CET	49768	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:56.607249022 CET	445	49768	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:56.607289076 CET	445	49768	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:57.318914890 CET	50177	445	192.168.2.9	51.159.121.244
Jan 14, 2025 21:06:57.323822021 CET	445	50177	51.159.121.244	192.168.2.9
Jan 14, 2025 21:06:57.323913097 CET	50177	445	192.168.2.9	51.159.121.244
Jan 14, 2025 21:06:57.323981047 CET	50177	445	192.168.2.9	51.159.121.244
Jan 14, 2025 21:06:57.324081898 CET	50179	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.328983068 CET	445	50179	51.159.121.1	192.168.2.9
Jan 14, 2025 21:06:57.329056978 CET	50179	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.329096079 CET	50179	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.329123974 CET	445	50177	51.159.121.244	192.168.2.9
Jan 14, 2025 21:06:57.329183102 CET	50177	445	192.168.2.9	51.159.121.244
Jan 14, 2025 21:06:57.329355955 CET	50180	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.334244013 CET	445	50179	51.159.121.1	192.168.2.9
Jan 14, 2025 21:06:57.334315062 CET	445	50180	51.159.121.1	192.168.2.9
Jan 14, 2025 21:06:57.334314108 CET	50179	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.334379911 CET	50180	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.334422112 CET	50180	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:06:57.339281082 CET	445	50180	51.159.121.1	192.168.2.9
Jan 14, 2025 21:06:58.573316097 CET	445	49805	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:58.573385954 CET	49805	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:58.573430061 CET	49805	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:58.573489904 CET	49805	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:06:58.578238964 CET	445	49805	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:58.578291893 CET	445	49805	116.209.81.1	192.168.2.9
Jan 14, 2025 21:06:59.334610939 CET	50214	445	192.168.2.9	222.113.31.86
Jan 14, 2025 21:06:59.339553118 CET	445	50214	222.113.31.86	192.168.2.9
Jan 14, 2025 21:06:59.339684963 CET	50214	445	192.168.2.9	222.113.31.86
Jan 14, 2025 21:06:59.339729071 CET	50214	445	192.168.2.9	222.113.31.86
Jan 14, 2025 21:06:59.339937925 CET	50215	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.344805956 CET	445	50215	222.113.31.1	192.168.2.9
Jan 14, 2025 21:06:59.344922066 CET	445	50214	222.113.31.86	192.168.2.9
Jan 14, 2025 21:06:59.344949961 CET	50215	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.344949961 CET	50215	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.344988108 CET	50214	445	192.168.2.9	222.113.31.86
Jan 14, 2025 21:06:59.345417023 CET	50216	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.350209951 CET	445	50215	222.113.31.1	192.168.2.9
Jan 14, 2025 21:06:59.350233078 CET	445	50216	222.113.31.1	192.168.2.9
Jan 14, 2025 21:06:59.350286961 CET	50215	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.350322962 CET	50216	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.350368023 CET	50216	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:06:59.355165958 CET	445	50216	222.113.31.1	192.168.2.9
Jan 14, 2025 21:06:59.615489006 CET	50220	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:59.621562958 CET	445	50220	3.157.171.1	192.168.2.9
Jan 14, 2025 21:06:59.621642113 CET	50220	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:59.621692896 CET	50220	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:06:59.627793074 CET	445	50220	3.157.171.1	192.168.2.9
Jan 14, 2025 21:07:00.585601091 CET	445	49845	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:00.585675001 CET	49845	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:00.585751057 CET	49845	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:00.585827112 CET	49845	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:00.590662003 CET	445	49845	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:00.590675116 CET	445	49845	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:01.350361109 CET	50232	445	192.168.2.9	150.135.181.70
Jan 14, 2025 21:07:01.355521917 CET	445	50232	150.135.181.70	192.168.2.9
Jan 14, 2025 21:07:01.355659962 CET	50232	445	192.168.2.9	150.135.181.70
Jan 14, 2025 21:07:01.355696917 CET	50232	445	192.168.2.9	150.135.181.70
Jan 14, 2025 21:07:01.355885983 CET	50233	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.360852003 CET	445	50233	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:01.360891104 CET	445	50232	150.135.181.70	192.168.2.9
Jan 14, 2025 21:07:01.360929966 CET	50233	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.360960007 CET	50232	445	192.168.2.9	150.135.181.70
Jan 14, 2025 21:07:01.361074924 CET	50233	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.361438036 CET	50234	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.366307974 CET	445	50233	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:01.366375923 CET	50233	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.366588116 CET	445	50234	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:01.366662025 CET	50234	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.366722107 CET	50234	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:01.371514082 CET	445	50234	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:01.595710993 CET	50237	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:07:01.600641012 CET	445	50237	116.209.81.1	192.168.2.9
Jan 14, 2025 21:07:01.600720882 CET	50237	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:07:01.600914955 CET	50237	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:07:01.605833054 CET	445	50237	116.209.81.1	192.168.2.9
Jan 14, 2025 21:07:02.584920883 CET	445	49883	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:02.585098028 CET	49883	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:02.585098028 CET	49883	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:02.585138083 CET	49883	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:02.590991020 CET	445	49883	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:02.591027021 CET	445	49883	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:03.365673065 CET	50249	445	192.168.2.9	103.42.206.197
Jan 14, 2025 21:07:03.370675087 CET	445	50249	103.42.206.197	192.168.2.9
Jan 14, 2025 21:07:03.370812893 CET	50249	445	192.168.2.9	103.42.206.197
Jan 14, 2025 21:07:03.370872974 CET	50249	445	192.168.2.9	103.42.206.197
Jan 14, 2025 21:07:03.370920897 CET	50250	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.375818968 CET	445	50250	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:03.375897884 CET	50250	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.375927925 CET	50250	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.375969887 CET	445	50249	103.42.206.197	192.168.2.9
Jan 14, 2025 21:07:03.376035929 CET	50249	445	192.168.2.9	103.42.206.197
Jan 14, 2025 21:07:03.376470089 CET	50251	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.380934000 CET	445	50250	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:03.381005049 CET	50250	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.381342888 CET	445	50251	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:03.381500959 CET	50251	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.381500959 CET	50251	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:03.386322021 CET	445	50251	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:03.600297928 CET	50254	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:03.605274916 CET	445	50254	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:03.605350018 CET	50254	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:03.605415106 CET	50254	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:03.610270977 CET	445	50254	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:04.585298061 CET	445	49917	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:04.585413933 CET	49917	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:04.585593939 CET	49917	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:04.585593939 CET	49917	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:04.591378927 CET	445	49917	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:04.591391087 CET	445	49917	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:05.381438017 CET	50265	445	192.168.2.9	181.171.88.204
Jan 14, 2025 21:07:05.406852961 CET	445	50265	181.171.88.204	192.168.2.9
Jan 14, 2025 21:07:05.406991959 CET	50265	445	192.168.2.9	181.171.88.204
Jan 14, 2025 21:07:05.407128096 CET	50265	445	192.168.2.9	181.171.88.204
Jan 14, 2025 21:07:05.407373905 CET	50266	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.411953926 CET	445	50265	181.171.88.204	192.168.2.9
Jan 14, 2025 21:07:05.412024021 CET	50265	445	192.168.2.9	181.171.88.204
Jan 14, 2025 21:07:05.412204981 CET	445	50266	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:05.412261009 CET	50266	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.412286043 CET	50266	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.412609100 CET	50267	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.417205095 CET	445	50266	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:05.417264938 CET	50266	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.417462111 CET	445	50267	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:05.417524099 CET	50267	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.417576075 CET	50267	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:05.422398090 CET	445	50267	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:05.599931002 CET	50270	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:05.604852915 CET	445	50270	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:05.604958057 CET	50270	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:05.604999065 CET	50270	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:05.609901905 CET	445	50270	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:06.600840092 CET	445	49955	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:06.601044893 CET	49955	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:06.601046085 CET	49955	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:06.601140022 CET	49955	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:06.605962992 CET	445	49955	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:06.605974913 CET	445	49955	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:07.222497940 CET	443	49986	23.206.229.209	192.168.2.9
Jan 14, 2025 21:07:07.222712040 CET	49986	443	192.168.2.9	23.206.229.209
Jan 14, 2025 21:07:07.256303072 CET	445	50267	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:07.256495953 CET	50267	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:07.256496906 CET	50267	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:07.256496906 CET	50267	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:07.261708021 CET	445	50267	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:07.261739969 CET	445	50267	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:07.400202036 CET	50282	445	192.168.2.9	52.145.247.111
Jan 14, 2025 21:07:07.405515909 CET	445	50282	52.145.247.111	192.168.2.9
Jan 14, 2025 21:07:07.405596972 CET	50282	445	192.168.2.9	52.145.247.111
Jan 14, 2025 21:07:07.405697107 CET	50282	445	192.168.2.9	52.145.247.111
Jan 14, 2025 21:07:07.405869961 CET	50283	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.411056995 CET	445	50283	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:07.411185026 CET	50283	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.411237955 CET	445	50282	52.145.247.111	192.168.2.9
Jan 14, 2025 21:07:07.411254883 CET	50283	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.411298037 CET	50282	445	192.168.2.9	52.145.247.111
Jan 14, 2025 21:07:07.414243937 CET	50284	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.416518927 CET	445	50283	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:07.416569948 CET	50283	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.418983936 CET	445	50284	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:07.419054985 CET	50284	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.419126034 CET	50284	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:07.424412012 CET	445	50284	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:07.600502014 CET	50287	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:07.605284929 CET	445	50287	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:07.605400085 CET	50287	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:07.607326984 CET	50287	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:07.612142086 CET	445	50287	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:08.679481030 CET	445	49993	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:08.679568052 CET	49993	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:08.679610014 CET	49993	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:08.679636955 CET	49993	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:08.684462070 CET	445	49993	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:08.684469938 CET	445	49993	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:09.412564993 CET	50297	445	192.168.2.9	186.17.232.223
Jan 14, 2025 21:07:09.417356014 CET	445	50297	186.17.232.223	192.168.2.9
Jan 14, 2025 21:07:09.418178082 CET	50297	445	192.168.2.9	186.17.232.223
Jan 14, 2025 21:07:09.418234110 CET	50297	445	192.168.2.9	186.17.232.223
Jan 14, 2025 21:07:09.418343067 CET	50298	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.423067093 CET	445	50298	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:09.423140049 CET	445	50297	186.17.232.223	192.168.2.9
Jan 14, 2025 21:07:09.423209906 CET	50297	445	192.168.2.9	186.17.232.223
Jan 14, 2025 21:07:09.423223019 CET	50298	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.423343897 CET	50298	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.423602104 CET	50299	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.428159952 CET	445	50298	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:09.428407907 CET	445	50299	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:09.428456068 CET	50298	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.428479910 CET	50299	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.428544044 CET	50299	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:09.433253050 CET	445	50299	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:09.615710020 CET	50300	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:09.620532990 CET	445	50300	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:09.620630980 CET	50300	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:09.620695114 CET	50300	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:09.625505924 CET	445	50300	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:10.271790981 CET	50301	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:10.276896954 CET	445	50301	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:10.277040005 CET	50301	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:10.277091026 CET	50301	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:10.281927109 CET	445	50301	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:11.287533045 CET	50302	445	192.168.2.9	50.121.163.147
Jan 14, 2025 21:07:11.292783976 CET	445	50302	50.121.163.147	192.168.2.9
Jan 14, 2025 21:07:11.292870045 CET	50302	445	192.168.2.9	50.121.163.147
Jan 14, 2025 21:07:11.292893887 CET	50302	445	192.168.2.9	50.121.163.147
Jan 14, 2025 21:07:11.293056965 CET	50303	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.297878981 CET	445	50302	50.121.163.147	192.168.2.9
Jan 14, 2025 21:07:11.297986031 CET	50302	445	192.168.2.9	50.121.163.147
Jan 14, 2025 21:07:11.298027992 CET	445	50303	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:11.298096895 CET	50303	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.298151970 CET	50303	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.298392057 CET	50304	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.303286076 CET	445	50303	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:11.303302050 CET	445	50304	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:11.303356886 CET	50303	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.303383112 CET	50304	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.303405046 CET	50304	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:11.308873892 CET	445	50304	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:11.693725109 CET	50305	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:11.698611021 CET	445	50305	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:11.701180935 CET	50305	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:11.701203108 CET	50305	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:11.705986977 CET	445	50305	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:12.178122997 CET	445	50301	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:12.178263903 CET	50301	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:12.178311110 CET	50301	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:12.178311110 CET	50301	445	192.168.2.9	181.171.88.1
Jan 14, 2025 21:07:12.183192015 CET	445	50301	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:12.183203936 CET	445	50301	181.171.88.1	192.168.2.9
Jan 14, 2025 21:07:12.240653992 CET	50306	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.245734930 CET	445	50306	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:12.245836973 CET	50306	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.245862007 CET	50306	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.246256113 CET	50307	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.250823021 CET	445	50306	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:12.250897884 CET	50306	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.251094103 CET	445	50307	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:12.251159906 CET	50307	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.251204967 CET	50307	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:12.256023884 CET	445	50307	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:12.698312998 CET	445	50064	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:12.698424101 CET	50064	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:12.698462009 CET	50064	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:12.698487043 CET	50064	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:12.703272104 CET	445	50064	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:12.703282118 CET	445	50064	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:13.037676096 CET	50308	445	192.168.2.9	63.166.202.107
Jan 14, 2025 21:07:13.043298960 CET	445	50308	63.166.202.107	192.168.2.9
Jan 14, 2025 21:07:13.043425083 CET	50308	445	192.168.2.9	63.166.202.107
Jan 14, 2025 21:07:13.043451071 CET	50308	445	192.168.2.9	63.166.202.107
Jan 14, 2025 21:07:13.043623924 CET	50309	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.048947096 CET	445	50309	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:13.049038887 CET	50309	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.049067974 CET	445	50308	63.166.202.107	192.168.2.9
Jan 14, 2025 21:07:13.049115896 CET	50308	445	192.168.2.9	63.166.202.107
Jan 14, 2025 21:07:13.049144030 CET	50309	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.049416065 CET	50310	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.054744005 CET	445	50310	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:13.054755926 CET	445	50309	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:13.054804087 CET	50310	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.054827929 CET	50309	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.054876089 CET	50310	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:13.060184002 CET	445	50310	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:14.678436041 CET	50311	445	192.168.2.9	71.110.186.84
Jan 14, 2025 21:07:14.683391094 CET	445	50311	71.110.186.84	192.168.2.9
Jan 14, 2025 21:07:14.683460951 CET	50311	445	192.168.2.9	71.110.186.84
Jan 14, 2025 21:07:14.683497906 CET	50311	445	192.168.2.9	71.110.186.84
Jan 14, 2025 21:07:14.683636904 CET	50312	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:14.684411049 CET	445	50101	68.234.13.1	192.168.2.9
Jan 14, 2025 21:07:14.684470892 CET	50101	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:14.684500933 CET	50101	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:14.684530020 CET	50101	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:14.688472033 CET	445	50312	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:14.688486099 CET	445	50311	71.110.186.84	192.168.2.9
Jan 14, 2025 21:07:14.688590050 CET	50311	445	192.168.2.9	71.110.186.84
Jan 14, 2025 21:07:14.688605070 CET	50312	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:14.688944101 CET	50313	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:14.689287901 CET	445	50101	68.234.13.1	192.168.2.9
Jan 14, 2025 21:07:14.689297915 CET	445	50101	68.234.13.1	192.168.2.9
Jan 14, 2025 21:07:14.693559885 CET	445	50312	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:14.693722963 CET	50312	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:14.693746090 CET	445	50313	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:14.693803072 CET	50313	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:14.693836927 CET	50313	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:14.698662043 CET	445	50313	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:15.709264040 CET	50314	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:15.714234114 CET	445	50314	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:15.714303970 CET	50314	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:15.714337111 CET	50314	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:15.719111919 CET	445	50314	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:16.210197926 CET	50315	445	192.168.2.9	120.193.75.236
Jan 14, 2025 21:07:16.215066910 CET	445	50315	120.193.75.236	192.168.2.9
Jan 14, 2025 21:07:16.215190887 CET	50315	445	192.168.2.9	120.193.75.236
Jan 14, 2025 21:07:16.215326071 CET	50315	445	192.168.2.9	120.193.75.236
Jan 14, 2025 21:07:16.215337038 CET	50316	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.220112085 CET	445	50316	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:16.220212936 CET	50316	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.220216990 CET	445	50315	120.193.75.236	192.168.2.9
Jan 14, 2025 21:07:16.220246077 CET	50316	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.220838070 CET	50317	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.222666979 CET	445	50315	120.193.75.236	192.168.2.9
Jan 14, 2025 21:07:16.222739935 CET	50315	445	192.168.2.9	120.193.75.236
Jan 14, 2025 21:07:16.225184917 CET	445	50316	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:16.225243092 CET	50316	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.225644112 CET	445	50317	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:16.225711107 CET	50317	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.225739956 CET	50317	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:16.230482101 CET	445	50317	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:16.678889036 CET	445	50139	77.120.13.1	192.168.2.9
Jan 14, 2025 21:07:16.678975105 CET	50139	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:16.679012060 CET	50139	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:16.679039955 CET	50139	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:16.683795929 CET	445	50139	77.120.13.1	192.168.2.9
Jan 14, 2025 21:07:16.683809042 CET	445	50139	77.120.13.1	192.168.2.9
Jan 14, 2025 21:07:16.899449110 CET	445	50145	199.83.239.2	192.168.2.9
Jan 14, 2025 21:07:16.899595976 CET	50145	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:16.899636984 CET	50145	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:16.899677038 CET	50145	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:16.904536963 CET	445	50145	199.83.239.2	192.168.2.9
Jan 14, 2025 21:07:16.904550076 CET	445	50145	199.83.239.2	192.168.2.9
Jan 14, 2025 21:07:17.631359100 CET	50318	445	192.168.2.9	136.127.160.37
Jan 14, 2025 21:07:17.636383057 CET	445	50318	136.127.160.37	192.168.2.9
Jan 14, 2025 21:07:17.636470079 CET	50318	445	192.168.2.9	136.127.160.37
Jan 14, 2025 21:07:17.636538029 CET	50318	445	192.168.2.9	136.127.160.37
Jan 14, 2025 21:07:17.636709929 CET	50319	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.641469002 CET	445	50318	136.127.160.37	192.168.2.9
Jan 14, 2025 21:07:17.641485929 CET	445	50319	136.127.160.1	192.168.2.9
Jan 14, 2025 21:07:17.641541958 CET	50318	445	192.168.2.9	136.127.160.37
Jan 14, 2025 21:07:17.641561031 CET	50319	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.641680002 CET	50319	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.642009020 CET	50320	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.646548033 CET	445	50319	136.127.160.1	192.168.2.9
Jan 14, 2025 21:07:17.646611929 CET	50319	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.646770000 CET	445	50320	136.127.160.1	192.168.2.9
Jan 14, 2025 21:07:17.646826029 CET	50320	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.646868944 CET	50320	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:17.651722908 CET	445	50320	136.127.160.1	192.168.2.9
Jan 14, 2025 21:07:17.693648100 CET	50321	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:17.698633909 CET	445	50321	68.234.13.1	192.168.2.9
Jan 14, 2025 21:07:17.698745012 CET	50321	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:17.698802948 CET	50321	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:17.703634024 CET	445	50321	68.234.13.1	192.168.2.9
Jan 14, 2025 21:07:18.699086905 CET	445	50180	51.159.121.1	192.168.2.9
Jan 14, 2025 21:07:18.699242115 CET	50180	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:18.699342966 CET	50180	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:18.699342966 CET	50180	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:18.704210997 CET	445	50180	51.159.121.1	192.168.2.9
Jan 14, 2025 21:07:18.704243898 CET	445	50180	51.159.121.1	192.168.2.9
Jan 14, 2025 21:07:18.962908983 CET	50322	445	192.168.2.9	134.238.213.215
Jan 14, 2025 21:07:18.968027115 CET	445	50322	134.238.213.215	192.168.2.9
Jan 14, 2025 21:07:18.968173981 CET	50322	445	192.168.2.9	134.238.213.215
Jan 14, 2025 21:07:18.968286037 CET	50322	445	192.168.2.9	134.238.213.215
Jan 14, 2025 21:07:18.968482971 CET	50323	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.973330021 CET	445	50323	134.238.213.1	192.168.2.9
Jan 14, 2025 21:07:18.973433018 CET	50323	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.973475933 CET	50323	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.973761082 CET	50324	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.974982023 CET	445	50322	134.238.213.215	192.168.2.9
Jan 14, 2025 21:07:18.975037098 CET	50322	445	192.168.2.9	134.238.213.215
Jan 14, 2025 21:07:18.978624105 CET	445	50323	134.238.213.1	192.168.2.9
Jan 14, 2025 21:07:18.978694916 CET	50323	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.978729963 CET	445	50324	134.238.213.1	192.168.2.9
Jan 14, 2025 21:07:18.978792906 CET	50324	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.978837967 CET	50324	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:18.983717918 CET	445	50324	134.238.213.1	192.168.2.9
Jan 14, 2025 21:07:19.695394993 CET	50325	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:19.700551033 CET	445	50325	77.120.13.1	192.168.2.9
Jan 14, 2025 21:07:19.700694084 CET	50325	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:19.703042984 CET	50325	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:19.707969904 CET	445	50325	77.120.13.1	192.168.2.9
Jan 14, 2025 21:07:19.912314892 CET	50326	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:19.917296886 CET	445	50326	199.83.239.2	192.168.2.9
Jan 14, 2025 21:07:19.917380095 CET	50326	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:19.917399883 CET	50326	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:19.922147989 CET	445	50326	199.83.239.2	192.168.2.9
Jan 14, 2025 21:07:20.209774971 CET	50327	445	192.168.2.9	30.228.189.78
Jan 14, 2025 21:07:20.214728117 CET	445	50327	30.228.189.78	192.168.2.9
Jan 14, 2025 21:07:20.214848042 CET	50327	445	192.168.2.9	30.228.189.78
Jan 14, 2025 21:07:20.214901924 CET	50327	445	192.168.2.9	30.228.189.78
Jan 14, 2025 21:07:20.215121984 CET	50328	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.219856977 CET	445	50328	30.228.189.1	192.168.2.9
Jan 14, 2025 21:07:20.219923019 CET	50328	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.219950914 CET	50328	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.220273972 CET	50329	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.220293999 CET	445	50327	30.228.189.78	192.168.2.9
Jan 14, 2025 21:07:20.225066900 CET	445	50329	30.228.189.1	192.168.2.9
Jan 14, 2025 21:07:20.225128889 CET	50329	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.225158930 CET	50329	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.225868940 CET	445	50327	30.228.189.78	192.168.2.9
Jan 14, 2025 21:07:20.225909948 CET	50327	445	192.168.2.9	30.228.189.78
Jan 14, 2025 21:07:20.226289034 CET	445	50328	30.228.189.1	192.168.2.9
Jan 14, 2025 21:07:20.226334095 CET	50328	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:20.229939938 CET	445	50329	30.228.189.1	192.168.2.9
Jan 14, 2025 21:07:20.741570950 CET	445	50216	222.113.31.1	192.168.2.9
Jan 14, 2025 21:07:20.743438959 CET	50216	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:20.743530035 CET	50216	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:20.743530035 CET	50216	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:20.748538971 CET	445	50216	222.113.31.1	192.168.2.9
Jan 14, 2025 21:07:20.748554945 CET	445	50216	222.113.31.1	192.168.2.9
Jan 14, 2025 21:07:20.997224092 CET	445	50220	3.157.171.1	192.168.2.9
Jan 14, 2025 21:07:21.001209021 CET	50220	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:07:21.001266003 CET	50220	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:07:21.001331091 CET	50220	445	192.168.2.9	3.157.171.1
Jan 14, 2025 21:07:21.006165028 CET	445	50220	3.157.171.1	192.168.2.9
Jan 14, 2025 21:07:21.006181002 CET	445	50220	3.157.171.1	192.168.2.9
Jan 14, 2025 21:07:21.053312063 CET	50330	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.058350086 CET	445	50330	3.157.171.2	192.168.2.9
Jan 14, 2025 21:07:21.061237097 CET	50330	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.061337948 CET	50330	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.061713934 CET	50331	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.066351891 CET	445	50330	3.157.171.2	192.168.2.9
Jan 14, 2025 21:07:21.066529036 CET	445	50331	3.157.171.2	192.168.2.9
Jan 14, 2025 21:07:21.066606045 CET	50330	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.066639900 CET	50331	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.066720009 CET	50331	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:21.071605921 CET	445	50331	3.157.171.2	192.168.2.9
Jan 14, 2025 21:07:21.365773916 CET	50332	445	192.168.2.9	132.227.104.105
Jan 14, 2025 21:07:21.370815039 CET	445	50332	132.227.104.105	192.168.2.9
Jan 14, 2025 21:07:21.373326063 CET	50332	445	192.168.2.9	132.227.104.105
Jan 14, 2025 21:07:21.373424053 CET	50332	445	192.168.2.9	132.227.104.105
Jan 14, 2025 21:07:21.373599052 CET	50333	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.378421068 CET	445	50333	132.227.104.1	192.168.2.9
Jan 14, 2025 21:07:21.381052971 CET	50333	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.381182909 CET	50333	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.381268978 CET	445	50332	132.227.104.105	192.168.2.9
Jan 14, 2025 21:07:21.381591082 CET	50332	445	192.168.2.9	132.227.104.105
Jan 14, 2025 21:07:21.381587029 CET	50334	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.388916016 CET	445	50334	132.227.104.1	192.168.2.9
Jan 14, 2025 21:07:21.388967991 CET	445	50333	132.227.104.1	192.168.2.9
Jan 14, 2025 21:07:21.389074087 CET	50334	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.389163017 CET	50334	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.392478943 CET	445	50333	132.227.104.1	192.168.2.9
Jan 14, 2025 21:07:21.393170118 CET	50333	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:21.394278049 CET	445	50334	132.227.104.1	192.168.2.9
Jan 14, 2025 21:07:21.709299088 CET	50335	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:21.731307030 CET	445	50335	51.159.121.1	192.168.2.9
Jan 14, 2025 21:07:21.731403112 CET	50335	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:21.731450081 CET	50335	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:21.736219883 CET	445	50335	51.159.121.1	192.168.2.9
Jan 14, 2025 21:07:21.920603991 CET	49705	80	192.168.2.9	199.232.214.172
Jan 14, 2025 21:07:21.927094936 CET	80	49705	199.232.214.172	192.168.2.9
Jan 14, 2025 21:07:21.927217007 CET	49705	80	192.168.2.9	199.232.214.172
Jan 14, 2025 21:07:22.449079990 CET	50336	445	192.168.2.9	178.61.232.175
Jan 14, 2025 21:07:22.455528975 CET	445	50336	178.61.232.175	192.168.2.9
Jan 14, 2025 21:07:22.455611944 CET	50336	445	192.168.2.9	178.61.232.175
Jan 14, 2025 21:07:22.455697060 CET	50336	445	192.168.2.9	178.61.232.175
Jan 14, 2025 21:07:22.455863953 CET	50337	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.462179899 CET	445	50336	178.61.232.175	192.168.2.9
Jan 14, 2025 21:07:22.462249041 CET	50336	445	192.168.2.9	178.61.232.175
Jan 14, 2025 21:07:22.462296963 CET	445	50337	178.61.232.1	192.168.2.9
Jan 14, 2025 21:07:22.462358952 CET	50337	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.462436914 CET	50337	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.462825060 CET	50338	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.469327927 CET	445	50338	178.61.232.1	192.168.2.9
Jan 14, 2025 21:07:22.469424963 CET	50338	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.469760895 CET	445	50337	178.61.232.1	192.168.2.9
Jan 14, 2025 21:07:22.470050097 CET	445	50337	178.61.232.1	192.168.2.9
Jan 14, 2025 21:07:22.470091105 CET	50337	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.472920895 CET	50338	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:22.479372978 CET	445	50338	178.61.232.1	192.168.2.9
Jan 14, 2025 21:07:22.727760077 CET	445	50234	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:22.728009939 CET	50234	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:22.728009939 CET	50234	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:22.728060007 CET	50234	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:22.732913017 CET	445	50234	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:22.732925892 CET	445	50234	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:22.961093903 CET	445	50237	116.209.81.1	192.168.2.9
Jan 14, 2025 21:07:22.961182117 CET	50237	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:07:22.961240053 CET	50237	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:07:22.961282969 CET	50237	445	192.168.2.9	116.209.81.1
Jan 14, 2025 21:07:22.966140985 CET	445	50237	116.209.81.1	192.168.2.9
Jan 14, 2025 21:07:22.966175079 CET	445	50237	116.209.81.1	192.168.2.9
Jan 14, 2025 21:07:23.021981955 CET	50339	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.026974916 CET	445	50339	116.209.81.2	192.168.2.9
Jan 14, 2025 21:07:23.027040958 CET	50339	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.027246952 CET	50339	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.027591944 CET	50340	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.032072067 CET	445	50339	116.209.81.2	192.168.2.9
Jan 14, 2025 21:07:23.032131910 CET	50339	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.032401085 CET	445	50340	116.209.81.2	192.168.2.9
Jan 14, 2025 21:07:23.032481909 CET	50340	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.032540083 CET	50340	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:23.037343025 CET	445	50340	116.209.81.2	192.168.2.9
Jan 14, 2025 21:07:23.459613085 CET	50342	445	192.168.2.9	90.4.176.57
Jan 14, 2025 21:07:23.464517117 CET	445	50342	90.4.176.57	192.168.2.9
Jan 14, 2025 21:07:23.464632034 CET	50342	445	192.168.2.9	90.4.176.57
Jan 14, 2025 21:07:23.464673996 CET	50342	445	192.168.2.9	90.4.176.57
Jan 14, 2025 21:07:23.464845896 CET	50343	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.469715118 CET	445	50343	90.4.176.1	192.168.2.9
Jan 14, 2025 21:07:23.469786882 CET	50343	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.469857931 CET	445	50342	90.4.176.57	192.168.2.9
Jan 14, 2025 21:07:23.469903946 CET	50343	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.469911098 CET	50342	445	192.168.2.9	90.4.176.57
Jan 14, 2025 21:07:23.470285892 CET	50344	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.475059032 CET	445	50343	90.4.176.1	192.168.2.9
Jan 14, 2025 21:07:23.475115061 CET	445	50344	90.4.176.1	192.168.2.9
Jan 14, 2025 21:07:23.475142002 CET	50343	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.475178003 CET	50344	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.475217104 CET	50344	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:23.480011940 CET	445	50344	90.4.176.1	192.168.2.9
Jan 14, 2025 21:07:23.756180048 CET	50345	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:23.761786938 CET	445	50345	222.113.31.1	192.168.2.9
Jan 14, 2025 21:07:23.765235901 CET	50345	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:23.768184900 CET	50345	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:23.772999048 CET	445	50345	222.113.31.1	192.168.2.9
Jan 14, 2025 21:07:24.397135973 CET	50346	445	192.168.2.9	62.129.107.104
Jan 14, 2025 21:07:24.402057886 CET	445	50346	62.129.107.104	192.168.2.9
Jan 14, 2025 21:07:24.402115107 CET	50346	445	192.168.2.9	62.129.107.104
Jan 14, 2025 21:07:24.402163029 CET	50346	445	192.168.2.9	62.129.107.104
Jan 14, 2025 21:07:24.402331114 CET	50347	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:24.407119989 CET	445	50347	62.129.107.1	192.168.2.9
Jan 14, 2025 21:07:24.407430887 CET	445	50346	62.129.107.104	192.168.2.9
Jan 14, 2025 21:07:24.407522917 CET	50346	445	192.168.2.9	62.129.107.104
Jan 14, 2025 21:07:24.407542944 CET	50347	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:24.408019066 CET	50348	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:24.412604094 CET	445	50347	62.129.107.1	192.168.2.9
Jan 14, 2025 21:07:24.412750006 CET	445	50348	62.129.107.1	192.168.2.9
Jan 14, 2025 21:07:24.412818909 CET	50347	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:24.412847042 CET	50348	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:24.412882090 CET	50348	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:24.417644024 CET	445	50348	62.129.107.1	192.168.2.9
Jan 14, 2025 21:07:24.761132002 CET	445	50251	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:24.761229038 CET	50251	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:24.761313915 CET	50251	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:24.761315107 CET	50251	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:24.766156912 CET	445	50251	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:24.766170979 CET	445	50251	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:24.979916096 CET	445	50254	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:24.979990959 CET	50254	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:24.980103016 CET	50254	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:24.980165958 CET	50254	445	192.168.2.9	15.212.96.1
Jan 14, 2025 21:07:24.984894991 CET	445	50254	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:24.984987020 CET	445	50254	15.212.96.1	192.168.2.9
Jan 14, 2025 21:07:25.038537979 CET	50349	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.043529987 CET	445	50349	15.212.96.2	192.168.2.9
Jan 14, 2025 21:07:25.043634892 CET	50349	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.043634892 CET	50349	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.043977022 CET	50350	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.048707962 CET	445	50349	15.212.96.2	192.168.2.9
Jan 14, 2025 21:07:25.048767090 CET	50349	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.048777103 CET	445	50350	15.212.96.2	192.168.2.9
Jan 14, 2025 21:07:25.048827887 CET	50350	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.048858881 CET	50350	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:25.053708076 CET	445	50350	15.212.96.2	192.168.2.9
Jan 14, 2025 21:07:25.272119045 CET	50351	445	192.168.2.9	178.11.150.145
Jan 14, 2025 21:07:25.277168036 CET	445	50351	178.11.150.145	192.168.2.9
Jan 14, 2025 21:07:25.277331114 CET	50351	445	192.168.2.9	178.11.150.145
Jan 14, 2025 21:07:25.277332067 CET	50351	445	192.168.2.9	178.11.150.145
Jan 14, 2025 21:07:25.277437925 CET	50352	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.282285929 CET	445	50352	178.11.150.1	192.168.2.9
Jan 14, 2025 21:07:25.282367945 CET	50352	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.282367945 CET	50352	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.282402992 CET	445	50351	178.11.150.145	192.168.2.9
Jan 14, 2025 21:07:25.282685041 CET	50353	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.282701969 CET	50351	445	192.168.2.9	178.11.150.145
Jan 14, 2025 21:07:25.287451982 CET	445	50352	178.11.150.1	192.168.2.9
Jan 14, 2025 21:07:25.287487984 CET	445	50353	178.11.150.1	192.168.2.9
Jan 14, 2025 21:07:25.287556887 CET	50352	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.287902117 CET	50353	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.287903070 CET	50353	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:25.292764902 CET	445	50353	178.11.150.1	192.168.2.9
Jan 14, 2025 21:07:25.740550041 CET	50354	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:25.745579004 CET	445	50354	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:25.745671034 CET	50354	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:25.745697975 CET	50354	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:25.750524998 CET	445	50354	150.135.181.1	192.168.2.9
Jan 14, 2025 21:07:26.100070953 CET	50355	445	192.168.2.9	111.205.61.88
Jan 14, 2025 21:07:26.105015039 CET	445	50355	111.205.61.88	192.168.2.9
Jan 14, 2025 21:07:26.105091095 CET	50355	445	192.168.2.9	111.205.61.88
Jan 14, 2025 21:07:26.105124950 CET	50355	445	192.168.2.9	111.205.61.88
Jan 14, 2025 21:07:26.105287075 CET	50356	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.110028028 CET	445	50356	111.205.61.1	192.168.2.9
Jan 14, 2025 21:07:26.110115051 CET	445	50355	111.205.61.88	192.168.2.9
Jan 14, 2025 21:07:26.110198021 CET	50355	445	192.168.2.9	111.205.61.88
Jan 14, 2025 21:07:26.110198021 CET	50356	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.110532999 CET	50357	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.110544920 CET	50356	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.115345955 CET	445	50357	111.205.61.1	192.168.2.9
Jan 14, 2025 21:07:26.115356922 CET	445	50356	111.205.61.1	192.168.2.9
Jan 14, 2025 21:07:26.115434885 CET	50356	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.115463018 CET	50357	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.115463018 CET	50357	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:26.120235920 CET	445	50357	111.205.61.1	192.168.2.9
Jan 14, 2025 21:07:26.865784883 CET	50358	445	192.168.2.9	223.92.131.20
Jan 14, 2025 21:07:26.871970892 CET	445	50358	223.92.131.20	192.168.2.9
Jan 14, 2025 21:07:26.872204065 CET	50358	445	192.168.2.9	223.92.131.20
Jan 14, 2025 21:07:26.872402906 CET	50358	445	192.168.2.9	223.92.131.20
Jan 14, 2025 21:07:26.872405052 CET	50359	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.877243042 CET	445	50359	223.92.131.1	192.168.2.9
Jan 14, 2025 21:07:26.877258062 CET	445	50358	223.92.131.20	192.168.2.9
Jan 14, 2025 21:07:26.877306938 CET	50359	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.877320051 CET	50359	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.877337933 CET	50358	445	192.168.2.9	223.92.131.20
Jan 14, 2025 21:07:26.877762079 CET	50360	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.882219076 CET	445	50359	223.92.131.1	192.168.2.9
Jan 14, 2025 21:07:26.882282972 CET	50359	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.883599997 CET	445	50360	223.92.131.1	192.168.2.9
Jan 14, 2025 21:07:26.883656025 CET	50360	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.883687973 CET	50360	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:26.888386011 CET	445	50360	223.92.131.1	192.168.2.9
Jan 14, 2025 21:07:26.960309982 CET	445	50270	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:26.960552931 CET	50270	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:26.960553885 CET	50270	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:26.960553885 CET	50270	445	192.168.2.9	126.245.156.1
Jan 14, 2025 21:07:26.965413094 CET	445	50270	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:26.965852022 CET	445	50270	126.245.156.1	192.168.2.9
Jan 14, 2025 21:07:27.021817923 CET	50361	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.027009010 CET	445	50361	126.245.156.2	192.168.2.9
Jan 14, 2025 21:07:27.027129889 CET	50361	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.027228117 CET	50361	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.027455091 CET	50362	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.032272100 CET	445	50361	126.245.156.2	192.168.2.9
Jan 14, 2025 21:07:27.032366037 CET	50361	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.032454967 CET	445	50362	126.245.156.2	192.168.2.9
Jan 14, 2025 21:07:27.032532930 CET	50362	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.032574892 CET	50362	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:27.037466049 CET	445	50362	126.245.156.2	192.168.2.9
Jan 14, 2025 21:07:27.771889925 CET	50364	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:27.777028084 CET	445	50364	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:27.777160883 CET	50364	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:27.777204037 CET	50364	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:27.782030106 CET	445	50364	103.42.206.1	192.168.2.9
Jan 14, 2025 21:07:28.772981882 CET	445	50284	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:28.773092031 CET	50284	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:28.773178101 CET	50284	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:28.773178101 CET	50284	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:28.778114080 CET	445	50284	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:28.778145075 CET	445	50284	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:28.995608091 CET	445	50287	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:28.995748043 CET	50287	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:28.998728037 CET	50287	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:28.998784065 CET	50287	445	192.168.2.9	138.57.247.1
Jan 14, 2025 21:07:29.003967047 CET	445	50287	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:29.003998041 CET	445	50287	138.57.247.1	192.168.2.9
Jan 14, 2025 21:07:29.053055048 CET	50368	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.058023930 CET	445	50368	138.57.247.2	192.168.2.9
Jan 14, 2025 21:07:29.058128119 CET	50368	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.058171034 CET	50368	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.058583021 CET	50369	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.063221931 CET	445	50368	138.57.247.2	192.168.2.9
Jan 14, 2025 21:07:29.063296080 CET	50368	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.063548088 CET	445	50369	138.57.247.2	192.168.2.9
Jan 14, 2025 21:07:29.063625097 CET	50369	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.063668013 CET	50369	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:29.068531036 CET	445	50369	138.57.247.2	192.168.2.9
Jan 14, 2025 21:07:30.835735083 CET	445	50299	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:30.835835934 CET	50299	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:30.835902929 CET	50299	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:30.835932970 CET	50299	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:30.842681885 CET	445	50299	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:30.842721939 CET	445	50299	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:31.007494926 CET	445	50300	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:31.007668972 CET	50300	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:31.007842064 CET	50300	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:31.008050919 CET	50300	445	192.168.2.9	144.69.237.1
Jan 14, 2025 21:07:31.012672901 CET	445	50300	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:31.013051987 CET	445	50300	144.69.237.1	192.168.2.9
Jan 14, 2025 21:07:31.068988085 CET	50380	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.074084997 CET	445	50380	144.69.237.2	192.168.2.9
Jan 14, 2025 21:07:31.074235916 CET	50380	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.074430943 CET	50380	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.074896097 CET	50381	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.079478025 CET	445	50380	144.69.237.2	192.168.2.9
Jan 14, 2025 21:07:31.079555035 CET	50380	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.079876900 CET	445	50381	144.69.237.2	192.168.2.9
Jan 14, 2025 21:07:31.079950094 CET	50381	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.079991102 CET	50381	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:31.085279942 CET	445	50381	144.69.237.2	192.168.2.9
Jan 14, 2025 21:07:31.787441015 CET	50388	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:31.792494059 CET	445	50388	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:31.792561054 CET	50388	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:31.792603016 CET	50388	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:31.797365904 CET	445	50388	52.145.247.1	192.168.2.9
Jan 14, 2025 21:07:32.679182053 CET	445	50304	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:32.679399014 CET	50304	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:32.679399014 CET	50304	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:32.679399014 CET	50304	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:32.684444904 CET	445	50304	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:32.684478998 CET	445	50304	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:33.069911957 CET	445	50305	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:33.069998980 CET	50305	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:33.070036888 CET	50305	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:33.070094109 CET	50305	445	192.168.2.9	34.81.201.1
Jan 14, 2025 21:07:33.074940920 CET	445	50305	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:33.074954987 CET	445	50305	34.81.201.1	192.168.2.9
Jan 14, 2025 21:07:33.133160114 CET	50402	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.138103008 CET	445	50402	34.81.201.2	192.168.2.9
Jan 14, 2025 21:07:33.138458967 CET	50402	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.138742924 CET	50402	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.138986111 CET	50403	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.143594980 CET	445	50402	34.81.201.2	192.168.2.9
Jan 14, 2025 21:07:33.143654108 CET	50402	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.143800020 CET	445	50403	34.81.201.2	192.168.2.9
Jan 14, 2025 21:07:33.143872976 CET	50403	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.143917084 CET	50403	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:33.148710012 CET	445	50403	34.81.201.2	192.168.2.9
Jan 14, 2025 21:07:33.618527889 CET	445	50307	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:33.618768930 CET	50307	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:33.618834972 CET	50307	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:33.618834972 CET	50307	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:33.623723030 CET	445	50307	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:33.623733997 CET	445	50307	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:33.850050926 CET	50414	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:33.855009079 CET	445	50414	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:33.855309963 CET	50414	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:33.855309963 CET	50414	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:33.860193968 CET	445	50414	186.17.232.1	192.168.2.9
Jan 14, 2025 21:07:34.415513992 CET	445	50310	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:34.415595055 CET	50310	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:34.415673018 CET	50310	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:34.415723085 CET	50310	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:34.420402050 CET	445	50310	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:34.420505047 CET	445	50310	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:35.693619967 CET	50451	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:35.698818922 CET	445	50451	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:35.698892117 CET	50451	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:35.698935032 CET	50451	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:35.703990936 CET	445	50451	50.121.163.1	192.168.2.9
Jan 14, 2025 21:07:36.070075989 CET	445	50313	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:36.070362091 CET	50313	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:36.070362091 CET	50313	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:36.073194027 CET	50313	445	192.168.2.9	71.110.186.1
Jan 14, 2025 21:07:36.075233936 CET	445	50313	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:36.078012943 CET	445	50313	71.110.186.1	192.168.2.9
Jan 14, 2025 21:07:36.631247044 CET	50478	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:36.636219978 CET	445	50478	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:36.636317015 CET	50478	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:36.636341095 CET	50478	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:36.641091108 CET	445	50478	181.171.88.2	192.168.2.9
Jan 14, 2025 21:07:37.101341963 CET	445	50314	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:37.104330063 CET	50314	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:37.104475975 CET	50314	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:37.104476929 CET	50314	445	192.168.2.9	16.10.57.1
Jan 14, 2025 21:07:37.109265089 CET	445	50314	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:37.109270096 CET	445	50314	16.10.57.1	192.168.2.9
Jan 14, 2025 21:07:37.162539959 CET	50498	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.167408943 CET	445	50498	16.10.57.2	192.168.2.9
Jan 14, 2025 21:07:37.167519093 CET	50498	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.167875051 CET	50500	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.168095112 CET	50498	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.172669888 CET	445	50500	16.10.57.2	192.168.2.9
Jan 14, 2025 21:07:37.174346924 CET	50500	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.174395084 CET	50500	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.176248074 CET	445	50498	16.10.57.2	192.168.2.9
Jan 14, 2025 21:07:37.176517963 CET	445	50498	16.10.57.2	192.168.2.9
Jan 14, 2025 21:07:37.176635027 CET	50498	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:37.179188013 CET	445	50500	16.10.57.2	192.168.2.9
Jan 14, 2025 21:07:37.428584099 CET	50511	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:37.433496952 CET	445	50511	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:37.435425043 CET	50511	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:37.436156034 CET	50511	445	192.168.2.9	63.166.202.1
Jan 14, 2025 21:07:37.440948009 CET	445	50511	63.166.202.1	192.168.2.9
Jan 14, 2025 21:07:37.586111069 CET	445	50317	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:37.586229086 CET	50317	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:37.586229086 CET	50317	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:37.586306095 CET	50317	445	192.168.2.9	120.193.75.1
Jan 14, 2025 21:07:37.591219902 CET	445	50317	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:37.591237068 CET	445	50317	120.193.75.1	192.168.2.9
Jan 14, 2025 21:07:39.007467985 CET	445	50320	136.127.160.1	192.168.2.9
Jan 14, 2025 21:07:39.007544041 CET	50320	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:39.105392933 CET	445	50321	68.234.13.1	192.168.2.9
Jan 14, 2025 21:07:39.105467081 CET	50321	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:39.936625957 CET	50381	445	192.168.2.9	144.69.237.2
Jan 14, 2025 21:07:39.936741114 CET	50414	445	192.168.2.9	186.17.232.1
Jan 14, 2025 21:07:39.936815977 CET	50350	445	192.168.2.9	15.212.96.2
Jan 14, 2025 21:07:39.936856985 CET	50500	445	192.168.2.9	16.10.57.2
Jan 14, 2025 21:07:39.936903000 CET	50335	445	192.168.2.9	51.159.121.1
Jan 14, 2025 21:07:39.936903954 CET	50403	445	192.168.2.9	34.81.201.2
Jan 14, 2025 21:07:39.936942101 CET	50320	445	192.168.2.9	136.127.160.1
Jan 14, 2025 21:07:39.937021971 CET	50321	445	192.168.2.9	68.234.13.1
Jan 14, 2025 21:07:39.937050104 CET	50324	445	192.168.2.9	134.238.213.1
Jan 14, 2025 21:07:39.937053919 CET	50325	445	192.168.2.9	77.120.13.1
Jan 14, 2025 21:07:39.937066078 CET	50326	445	192.168.2.9	199.83.239.2
Jan 14, 2025 21:07:39.937091112 CET	50329	445	192.168.2.9	30.228.189.1
Jan 14, 2025 21:07:39.937114954 CET	50331	445	192.168.2.9	3.157.171.2
Jan 14, 2025 21:07:39.937144041 CET	50334	445	192.168.2.9	132.227.104.1
Jan 14, 2025 21:07:39.937295914 CET	50338	445	192.168.2.9	178.61.232.1
Jan 14, 2025 21:07:39.937334061 CET	50344	445	192.168.2.9	90.4.176.1
Jan 14, 2025 21:07:39.937362909 CET	50345	445	192.168.2.9	222.113.31.1
Jan 14, 2025 21:07:39.937377930 CET	50348	445	192.168.2.9	62.129.107.1
Jan 14, 2025 21:07:39.937397957 CET	50353	445	192.168.2.9	178.11.150.1
Jan 14, 2025 21:07:39.937421083 CET	50340	445	192.168.2.9	116.209.81.2
Jan 14, 2025 21:07:39.937444925 CET	50354	445	192.168.2.9	150.135.181.1
Jan 14, 2025 21:07:39.937482119 CET	50357	445	192.168.2.9	111.205.61.1
Jan 14, 2025 21:07:39.937483072 CET	50360	445	192.168.2.9	223.92.131.1
Jan 14, 2025 21:07:39.937500000 CET	50362	445	192.168.2.9	126.245.156.2
Jan 14, 2025 21:07:39.937529087 CET	50364	445	192.168.2.9	103.42.206.1
Jan 14, 2025 21:07:39.937546968 CET	50369	445	192.168.2.9	138.57.247.2
Jan 14, 2025 21:07:39.937582016 CET	50388	445	192.168.2.9	52.145.247.1
Jan 14, 2025 21:07:39.937616110 CET	50478	445	192.168.2.9	181.171.88.2
Jan 14, 2025 21:07:39.937654018 CET	50451	445	192.168.2.9	50.121.163.1
Jan 14, 2025 21:07:39.937728882 CET	50511	445	192.168.2.9	63.166.202.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:06:31.993257999 CET	58034	53	192.168.2.9	1.1.1.1
Jan 14, 2025 21:06:32.300337076 CET	53	58034	1.1.1.1	192.168.2.9
Jan 14, 2025 21:06:32.948096991 CET	57431	53	192.168.2.9	1.1.1.1
Jan 14, 2025 21:06:33.130820036 CET	53	57431	1.1.1.1	192.168.2.9
Jan 14, 2025 21:07:22.370839119 CET	138	138	192.168.2.9	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 21:06:31.993257999 CET	192.168.2.9	1.1.1.1	0x99cb	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:06:32.948096991 CET	192.168.2.9	1.1.1.1	0xf302	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 21:06:25.718956947 CET	1.1.1.1	192.168.2.9	0x60ef	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 21:06:25.718956947 CET	1.1.1.1	192.168.2.9	0x60ef	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:06:32.300337076 CET	1.1.1.1	192.168.2.9	0x99cb	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:06:33.130820036 CET	1.1.1.1	192.168.2.9	0xf302	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 21:06:33.130820036 CET	1.1.1.1	192.168.2.9	0xf302	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49742	103.224.212.215	80	7816	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:06:32.322264910 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:06:32.939353943 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:06:32 GMT server: Apache set-cookie: __tad=1736885192.5042682; expires=Fri, 12-Jan-2035 20:06:32 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a01 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49748	199.59.243.228	80	7816	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:06:33.138122082 CET	169	OUT	GET /?subid1=20250115-0706-326f-9c7c-3821cc5c3a01 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:06:33.599946022 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:06:33 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 8462b0ae-2235-4789-ae47-4c74deb8c66f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ETjHj0Cb2JXaADlLP9SesdWv+DvVMWulGOmN3/bzpJWdAXyfr5BnSoAv21a9xW9nnFBnoBM0fheT+Bd0/0qNzw== set-cookie: parking_session=8462b0ae-2235-4789-ae47-4c74deb8c66f; expires=Tue, 14 Jan 2025 20:21:33 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 45 54 6a 48 6a 30 43 62 32 4a 58 61 41 44 6c 4c 50 39 53 65 73 64 57 76 2b 44 76 56 4d 57 75 6c 47 4f 6d 4e 33 2f 62 7a 70 4a 57 64 41 58 79 66 72 35 42 6e 53 6f 41 76 32 31 61 39 78 57 39 6e 6e 46 42 6e 6f 42 4d 30 66 68 65 54 2b 42 64 30 2f 30 71 4e 7a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ETjHj0Cb2JXaADlLP9SesdWv+DvVMWulGOmN3/bzpJWdAXyfr5BnSoAv21a9xW9nnFBnoBM0fheT+Bd0/0qNzw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:06:33.599968910 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODQ2MmIwYWUtMjIzNS00Nzg5LWFlNDctNGM3NGRlYjhjNjZmIiwicGFnZV90aW1lIjoxNzM2ODg1MTkzLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49754	103.224.212.215	80	7920	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:06:33.830791950 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 21:06:34.454596996 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:06:34 GMT server: Apache set-cookie: __tad=1736885194.5933532; expires=Fri, 12-Jan-2035 20:06:34 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c83701 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49760	103.224.212.215	80	7976	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:06:34.584914923 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736885192.5042682
Jan 14, 2025 21:06:35.193245888 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 20:06:35 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e6972f content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49761	199.59.243.228	80	7920	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:06:34.588896036 CET	169	OUT	GET /?subid1=20250115-0706-3461-b88e-f77f83c83701 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 21:06:35.044425011 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:06:34 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 109a7d1a-7f89-44da-bced-687624b9a5f2 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kA5pzlosWM3CYX/Kkvz+zbti6p3UYn1DUjNAjx+pTqy3DnJGX4pJlhklkEFGYhFDvxJOUzstlTN/y/KjcQcQeQ== set-cookie: parking_session=109a7d1a-7f89-44da-bced-687624b9a5f2; expires=Tue, 14 Jan 2025 20:21:34 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 41 35 70 7a 6c 6f 73 57 4d 33 43 59 58 2f 4b 6b 76 7a 2b 7a 62 74 69 36 70 33 55 59 6e 31 44 55 6a 4e 41 6a 78 2b 70 54 71 79 33 44 6e 4a 47 58 34 70 4a 6c 68 6b 6c 6b 45 46 47 59 68 46 44 76 78 4a 4f 55 7a 73 74 6c 54 4e 2f 79 2f 4b 6a 63 51 63 51 65 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kA5pzlosWM3CYX/Kkvz+zbti6p3UYn1DUjNAjx+pTqy3DnJGX4pJlhklkEFGYhFDvxJOUzstlTN/y/KjcQcQeQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 21:06:35.044482946 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTA5YTdkMWEtN2Y4OS00NGRhLWJjZWQtNjg3NjI0YjlhNWYyIiwicGFnZV90aW1lIjoxNzM2ODg1MTk0LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49769	199.59.243.228	80	7976	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:06:35.204560995 CET	231	OUT	GET /?subid1=20250115-0706-350f-b72d-c6b0b8e6972f HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=8462b0ae-2235-4789-ae47-4c74deb8c66f
Jan 14, 2025 21:06:35.670603037 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 20:06:35 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: ea20e9e6-834b-4346-b34b-b98ccc9e2158 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yOsfiu8vJ2t6isdOlvRtB56LXmjbstkC+dfEuJjnzHFFL0AtEaPwKAgbQQrFuXPng+CPaKakBO3/sePH93auxA== set-cookie: parking_session=8462b0ae-2235-4789-ae47-4c74deb8c66f; expires=Tue, 14 Jan 2025 20:21:35 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 79 4f 73 66 69 75 38 76 4a 32 74 36 69 73 64 4f 6c 76 52 74 42 35 36 4c 58 6d 6a 62 73 74 6b 43 2b 64 66 45 75 4a 6a 6e 7a 48 46 46 4c 30 41 74 45 61 50 77 4b 41 67 62 51 51 72 46 75 58 50 6e 67 2b 43 50 61 4b 61 6b 42 4f 33 2f 73 65 50 48 39 33 61 75 78 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yOsfiu8vJ2t6isdOlvRtB56LXmjbstkC+dfEuJjnzHFFL0AtEaPwKAgbQQrFuXPng+CPaKakBO3/sePH93auxA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 21:06:35.670659065 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODQ2MmIwYWUtMjIzNS00Nzg5LWFlNDctNGM3NGRlYjhjNjZmIiwicGFnZV90aW1lIjoxNzM2ODg1MTk1LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	15:06:30
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll"
Imagebase:	0xd50000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:06:30
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:06:30
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:06:30
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\sUlHfYQxNw.dll,PlayGame
Imagebase:	0xa80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:06:30
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",#1
Imagebase:	0xa80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:06:30
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	B01DB44786F461C9415813F968A7664A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1356648127.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:06:33
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	B01DB44786F461C9415813F968A7664A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2032119796.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2031833962.0000000001FB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1379865895.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:06:33
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\sUlHfYQxNw.dll",PlayGame
Imagebase:	0xa80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:06:33
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	B01DB44786F461C9415813F968A7664A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1385339292.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1400701115.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

tasksche.exe, xrefs: 00407DEA
WINDOWS, xrefs: 00407DF2, 00407E0D
D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
C:\%s\%s, xrefs: 00407DFB
CloseHandle, xrefs: 00407D29
kernel32.dll, xrefs: 00407CEA
/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000006.00000002.1395421706.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1395401133.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395444466.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395512402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1395421706.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1395401133.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395444466.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395512402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1395421706.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1395401133.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395444466.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395512402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.1395421706.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1395401133.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395444466.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395512402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1395421706.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1395401133.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395444466.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395512402.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1395600709.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7920, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2030939215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2030923800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030956785.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031022901.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031038558.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2030939215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2030923800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030956785.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031022901.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031038558.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000008.00000002.2030939215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2030923800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030956785.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031022901.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031038558.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB
WriteFile, xrefs: 00407D1C
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000008.00000002.2030939215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2030923800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030956785.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031022901.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031038558.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2030939215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2030923800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030956785.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2030971446.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031022901.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031038558.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000733000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.0000000000775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2031130627.00000000007D0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a01	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e6972f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c837	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c83701	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e697	Avira URL Cloud: Label: malware

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 65%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 65%

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0706-326f-9c7c-3821cc5c3a01 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885192.5042682
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0706-3461-b88e-f77f83c83701 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0706-350f-b72d-c6b0b8e6972f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=8462b0ae-2235-4789-ae47-4c74deb8c66f

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49742 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49754 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.223
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.223
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.223
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.223
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.157.171.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.210
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.210
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.210
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.210
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.209.81.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.173
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.173
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.173
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.173
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 15.212.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.111
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.111
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.111
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.245.156.1

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.1396004769.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-326f-9c7c-3821cc5c3a
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-3461-b88e-f77f83c837
Source: mssecsvr.exe, 0000000A.00000002.1401202588.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0706-350f-b72d-c6b0b8e697
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B
Source: sUlHfYQxNw.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 0000000A.00000002.1401202588.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1401202588.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/#
Source: mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/R
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/b
Source: mssecsvr.exe, 00000008.00000002.2031364988.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r
Source: mssecsvr.exe, 00000008.00000002.2030892381.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 0000000A.00000002.1401202588.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comQ

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: Yara match	File source: sUlHfYQxNw.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvr.exe.24e9948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1fb8104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1fa9084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.24da8c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1fb8104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1fb40a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.24e58e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.24e9948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2031007037.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1356648127.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1395464825.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2032119796.00000000024E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1385339292.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2031833962.0000000001FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1400701115.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1379865895.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7976, type: MEMORYSTR

Source: sUlHfYQxNw.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.24da8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1fa9084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.24e9948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.24e9948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1fb8104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1fb8104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1fa9084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1fa9084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.24da8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.24da8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1fb8104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1fb40a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.24e58e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.24e9948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: sUlHfYQxNw.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.24da8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1fa9084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.24e9948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.24e9948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1fb8104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1fb8104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1fa9084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1fa9084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.24da8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.24da8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1fb8104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1fb40a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.24e58e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.24e9948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sUlHfYQxNw.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
sUlHfYQxNw.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre