Edit tour

Windows Analysis Report
04Ct9PoJrL.dll

Overview

General Information

Sample name:	04Ct9PoJrL.dll renamed because original name is a hash value
Original sample name:	e49594ffa18e330c8692d88dc8e73752.dll
Analysis ID:	1591378
MD5:	e49594ffa18e330c8692d88dc8e73752
SHA1:	7c046ae2a48dc43a0d8a1007b5ab83c678bfb9a5
SHA256:	55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4052 cmdline: loaddll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6500 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7032 cmdline: rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 5176 cmdline: C:\WINDOWS\mssecsvr.exe MD5: DDC00ED41F44D1047F3D34DC3B6D6A47)

rundll32.exe (PID: 3728 cmdline: rundll32.exe C:\Users\user\Desktop\04Ct9PoJrL.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2896 cmdline: rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 1596 cmdline: C:\WINDOWS\mssecsvr.exe MD5: DDC00ED41F44D1047F3D34DC3B6D6A47)

mssecsvr.exe (PID: 3384 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: DDC00ED41F44D1047F3D34DC3B6D6A47)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
04Ct9PoJrL.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
04Ct9PoJrL.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.2200798894.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2245265160.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2228574250.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2227545869.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2881995762.0000000002284000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2881728256.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 5176	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3384	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 1596	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.22758c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4f084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d5e104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5e104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5e104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2284948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2284948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2284948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.22758c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22758c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.22758c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d4f084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d4f084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1d4f084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1d5e104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5e104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2284948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2284948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.22808e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.22808e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1d5a0a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1d5a0a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
Click to see the 35 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:01:17.741230+0100	2803304	3	Unknown Traffic	192.168.2.6	49723	103.224.212.215	80	TCP
2025-01-14T23:01:19.676725+0100	2803304	3	Unknown Traffic	192.168.2.6	49735	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:01:16.778051+0100	2830018	1	A Network Trojan was detected	192.168.2.6	60950	1.1.1.1	53	UDP

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03

Source: 04Ct9PoJrL.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\04Ct9PoJrL.dll,PlayGame

Source: 04Ct9PoJrL.dll	ReversingLabs: Detection: 91%
Source: 04Ct9PoJrL.dll	Virustotal: Detection: 91%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\04Ct9PoJrL.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\04Ct9PoJrL.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 04Ct9PoJrL.dll

Static file information: File size 5267459 > 1048576

Source: 04Ct9PoJrL.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.10.dr

Static PE information: section name: .text entropy: 7.59119556320733

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Windows\mssecsvr.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe

Dropped PE file which has not been started: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 6600	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6600	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2224	Thread sleep count: 124 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 2224	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6600	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000006.00000002.2245439080.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2245439080.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2244826751.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2245851204.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A68000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
04Ct9PoJrL.dll	91%	ReversingLabs	Win32.Ransomware.WannaCry
04Ct9PoJrL.dll	92%	Virustotal		Browse
04Ct9PoJrL.dll	100%	Avira	TR/Ransom.Gen
04Ct9PoJrL.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	79%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc5429	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc09356b	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc542911	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d3b	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc0935	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc542911	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d3b	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc09356b	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/N	mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L	mssecsvr.exe, 00000006.00000002.2245439080.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/-	mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A-	mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/M	mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/k	mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc5429	mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.2245439080.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	04Ct9PoJrL.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d	mssecsvr.exe, 00000006.00000002.2245439080.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc0935	mssecsvr.exe, 00000008.00000002.2881281855.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2244826751.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2880792537.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
170.88.223.1	unknown	United States	13649	ASN-VINSUS	false
180.1.23.128	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
104.53.109.1	unknown	United States	7018	ATT-INTERNET4US	false
17.84.70.73	unknown	United States	714	APPLE-ENGINEERINGUS	false
7.123.157.99	unknown	United States	3356	LEVEL3US	false
184.175.83.95	unknown	United States	7393	CYBERCONUS	false
116.235.7.2	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
116.235.7.1	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
220.125.197.1	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
12.2.240.16	unknown	United States	7018	ATT-INTERNET4US	false
118.161.193.22	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
22.174.74.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
53.26.1.45	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
126.128.51.225	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
100.32.218.2	unknown	United States	5650	FRONTIER-FRTRUS	false
100.32.218.1	unknown	United States	5650	FRONTIER-FRTRUS	false
180.181.199.1	unknown	Australia	7477	TEREDONN-AS-APSkyMeshPtyLtdAU	false
35.223.142.180	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591378
Start date and time:	2025-01-14 23:00:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	04Ct9PoJrL.dll renamed because original name is a hash value
Original Sample Name:	e49594ffa18e330c8692d88dc8e73752.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@17/1@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.17.190.73, 199.232.214.172, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:01:17	API Interceptor	1x Sleep call for process: loaddll32.exe modified
17:01:53	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-VINSUS	m68k.elf	Get hash	malicious	Unknown	Browse	208.115.40.7
	sora.mips.elf	Get hash	malicious	Unknown	Browse	69.2.223.131
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	64.58.232.177
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	64.58.232.179
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	64.58.232.176
	armv4l.elf	Get hash	malicious	Mirai	Browse	155.63.212.120
	ppc.elf	Get hash	malicious	Unknown	Browse	69.2.210.88
	nklm68k.elf	Get hash	malicious	Unknown	Browse	148.175.128.232
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	74.63.166.123
	nsharm7.elf	Get hash	malicious	Mirai	Browse	74.85.134.238
ATT-INTERNET4US	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	75.17.203.1
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	76.252.20.1
	http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664	Get hash	malicious	Phisher	Browse	13.32.23.8
	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	172.142.199.1
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	75.63.94.202
	k6fBkyS1R6.dll	Get hash	malicious	Wannacry	Browse	12.213.51.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	12.85.167.44
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	13.32.27.22
	meth3.elf	Get hash	malicious	Mirai	Browse	13.183.171.175
	meth1.elf	Get hash	malicious	Mirai	Browse	99.160.219.59
OCNNTTCommunicationsCorporationJP	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	153.157.148.172
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	125.172.29.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	123.224.18.174
	meth10.elf	Get hash	malicious	Mirai	Browse	157.106.137.200
	meth3.elf	Get hash	malicious	Mirai	Browse	123.222.206.237
	meth1.elf	Get hash	malicious	Mirai	Browse	58.92.220.23
	x86.elf	Get hash	malicious	Unknown	Browse	153.204.125.184
	meth4.elf	Get hash	malicious	Mirai	Browse	157.69.76.176
	i486.elf	Get hash	malicious	Unknown	Browse	125.173.202.252
	meth2.elf	Get hash	malicious	Mirai	Browse	180.21.71.141
LEVEL3US	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	4.3.90.171
	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	6.45.217.1
	FjSrGs0AE2.dll	Get hash	malicious	Wannacry	Browse	6.20.56.1
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	7.224.74.1
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	7.204.138.1
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	4.163.94.1
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	4.143.32.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	4.78.223.133
	meth10.elf	Get hash	malicious	Mirai	Browse	9.193.50.113
	meth3.elf	Get hash	malicious	Mirai	Browse	8.249.142.22

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	40.115.3.253 40.113.103.199
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	40.115.3.253 40.113.103.199
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253 40.113.103.199
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.115.3.253 40.113.103.199
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	40.115.3.253 40.113.103.199
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.115.3.253 40.113.103.199

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.155352387888075
Encrypted:	false
SSDEEP:	24576:tiBJMSirYbcMNgef0QeQjG/D8kIqY6626WgkQg6eX6SASk+RdhAdmvm:EMSPbcBVQej/P6kQo6SAARdhnvm
MD5:	6BD1043F3640D1B61C8DD87D0D62008E
SHA1:	B2D7977CE507949C6A1B32548F20B5688CF42DA1
SHA-256:	7EB6A199F33C523B6409F385DA2FDAC2A50D57FFE182648BDB7A1BD1F15CD24B
SHA-512:	2C81021245DD5B38F085413FCDF637F5213AEE14E2EB571526C651CA551104B4A3C0EC27CD8EBB37C089A2457CF483E622B2CA0A35BB46C24B70AD8CC52653AA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.7053538843914904
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	04Ct9PoJrL.dll
File size:	5'267'459 bytes
MD5:	e49594ffa18e330c8692d88dc8e73752
SHA1:	7c046ae2a48dc43a0d8a1007b5ab83c678bfb9a5
SHA256:	55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325
SHA512:	47cc0dabfae78c8c405b3e447871be5725ca0d7294a89ba2927f62d6f105ad2c33bf3940a43555e5b4552366288af50965251ca2899292c09a131e9c8cfefd2f
SSDEEP:	24576:RbLguriBJMSirYbcMNgef0QeQjG/D8kIqY6626WgkQg6eX6SASk+RdhAdmv:RnGMSPbcBVQej/P6kQo6SAARdhnv
TLSH:	0A362396746C90F8D20A257498AB4B16B2F77C3921FA2A0FEF508E352D13F52E754B13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F1EF8DDCBEBh
cmp dword ptr [10003140h], 00000000h
jmp 00007F1EF8DDCC08h
cmp esi, 01h
je 00007F1EF8DDCBE7h
cmp esi, 02h
jne 00007F1EF8DDCC04h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F1EF8DDCBEBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F1EF8DDCBEEh
push edi
push esi
push ebx
call 00007F1EF8DDCAFAh
test eax, eax
jne 00007F1EF8DDCBE6h
xor eax, eax
jmp 00007F1EF8DDCC30h
push edi
push esi
push ebx
call 00007F1EF8DDC9ACh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F1EF8DDCBEEh
test eax, eax
jne 00007F1EF8DDCC19h
push edi
push eax
push ebx
call 00007F1EF8DDCAD6h
test esi, esi
je 00007F1EF8DDCBE7h
cmp esi, 03h
jne 00007F1EF8DDCC08h
push edi
push esi
push ebx
call 00007F1EF8DDCAC5h
test eax, eax
jne 00007F1EF8DDCBE5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F1EF8DDCBF3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F1EF8DDCBEAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	04fd2f163aea92b9f84ecd8f6e69005e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8766069412231445

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T23:01:16.778051+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.6	60950	1.1.1.1	53	UDP
2025-01-14T23:01:17.741230+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49723	103.224.212.215	80	TCP
2025-01-14T23:01:19.676725+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49735	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:01:09.479573011 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:09.479604959 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:09.792109966 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:11.938352108 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:11.938393116 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:11.938484907 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:11.939023018 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:11.939040899 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:12.836208105 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:12.836314917 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:12.839603901 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:12.839616060 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:12.840019941 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:12.841614008 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:12.841665030 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:12.841671944 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:12.841778040 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:12.883347034 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:13.020889044 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:13.020996094 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:13.021092892 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:13.021203041 CET	49711	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:01:13.021222115 CET	443	49711	40.115.3.253	192.168.2.6
Jan 14, 2025 23:01:17.093214035 CET	49723	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:17.098079920 CET	80	49723	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:17.098191023 CET	49723	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:17.102667093 CET	49723	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:17.107500076 CET	80	49723	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:17.741022110 CET	80	49723	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:17.741172075 CET	80	49723	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:17.741230011 CET	49723	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:17.741230011 CET	49723	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:17.792084932 CET	49723	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:17.797147989 CET	80	49723	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:18.272572994 CET	49729	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:18.277378082 CET	80	49729	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:18.277441978 CET	49729	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:18.277554989 CET	49729	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:18.282305002 CET	80	49729	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:18.813663006 CET	80	49729	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:18.813677073 CET	80	49729	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:18.813749075 CET	49729	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:18.819091082 CET	49729	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:18.819109917 CET	49729	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:18.956393003 CET	49735	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:18.961257935 CET	80	49735	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:18.961427927 CET	49735	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:18.961429119 CET	49735	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:18.966267109 CET	80	49735	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.081737995 CET	49736	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.086549044 CET	80	49736	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.086611986 CET	49736	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.086731911 CET	49736	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.089159966 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:19.089914083 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:19.091429949 CET	80	49736	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.401679993 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:19.676537991 CET	80	49735	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.676552057 CET	80	49735	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.676724911 CET	49735	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.679009914 CET	49735	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.680103064 CET	49742	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:19.683804989 CET	80	49735	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.684962034 CET	80	49742	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:19.685030937 CET	49742	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:19.685148001 CET	49742	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:19.689904928 CET	80	49742	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:19.749943972 CET	80	49736	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.750046968 CET	49736	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.750123024 CET	80	49736	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.750174046 CET	49736	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.754996061 CET	49736	80	192.168.2.6	103.224.212.215
Jan 14, 2025 23:01:19.757488012 CET	49743	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:19.759768009 CET	80	49736	103.224.212.215	192.168.2.6
Jan 14, 2025 23:01:19.762307882 CET	80	49743	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:19.762384892 CET	49743	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:19.762582064 CET	49743	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:19.767354965 CET	80	49743	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:20.159326077 CET	80	49742	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:20.159383059 CET	80	49742	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:20.159456968 CET	49742	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:20.218041897 CET	80	49743	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:20.218075037 CET	80	49743	199.59.243.228	192.168.2.6
Jan 14, 2025 23:01:20.218179941 CET	49743	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:20.256515980 CET	49742	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:20.256668091 CET	49742	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:20.395574093 CET	49743	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:20.395602942 CET	49743	80	192.168.2.6	199.59.243.228
Jan 14, 2025 23:01:20.583683968 CET	49749	445	192.168.2.6	100.32.218.101
Jan 14, 2025 23:01:20.588507891 CET	445	49749	100.32.218.101	192.168.2.6
Jan 14, 2025 23:01:20.588579893 CET	49749	445	192.168.2.6	100.32.218.101
Jan 14, 2025 23:01:20.588615894 CET	49749	445	192.168.2.6	100.32.218.101
Jan 14, 2025 23:01:20.593709946 CET	445	49749	100.32.218.101	192.168.2.6
Jan 14, 2025 23:01:20.593765020 CET	49749	445	192.168.2.6	100.32.218.101
Jan 14, 2025 23:01:20.601339102 CET	49750	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.606183052 CET	445	49750	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:20.606249094 CET	49750	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.606358051 CET	49750	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.613234043 CET	49751	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.614661932 CET	445	49750	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:20.614705086 CET	49750	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.615221977 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:20.615273952 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:20.615345001 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:20.615899086 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:20.615911961 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:20.618048906 CET	445	49751	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:20.618108988 CET	49751	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.618149042 CET	49751	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:20.622925997 CET	445	49751	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:21.044075012 CET	443	49707	173.222.162.64	192.168.2.6
Jan 14, 2025 23:01:21.044161081 CET	49707	443	192.168.2.6	173.222.162.64
Jan 14, 2025 23:01:21.421482086 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.421561956 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.423089027 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.423105001 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.423450947 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.424879074 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.424941063 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.424947977 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.425118923 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.471335888 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.615545988 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.616592884 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.616835117 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.616883993 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:21.616908073 CET	443	49752	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:21.616919994 CET	49752	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:22.579498053 CET	49785	445	192.168.2.6	17.84.70.73
Jan 14, 2025 23:01:22.584711075 CET	445	49785	17.84.70.73	192.168.2.6
Jan 14, 2025 23:01:22.584788084 CET	49785	445	192.168.2.6	17.84.70.73
Jan 14, 2025 23:01:22.584856987 CET	49785	445	192.168.2.6	17.84.70.73
Jan 14, 2025 23:01:22.585155010 CET	49786	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:22.589754105 CET	445	49785	17.84.70.73	192.168.2.6
Jan 14, 2025 23:01:22.589809895 CET	49785	445	192.168.2.6	17.84.70.73
Jan 14, 2025 23:01:22.589952946 CET	445	49786	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:22.590009928 CET	49786	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:22.590061903 CET	49786	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:22.591280937 CET	49787	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:22.596096992 CET	445	49787	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:22.596153021 CET	49787	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:22.596188068 CET	49787	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:22.596856117 CET	445	49786	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:22.600933075 CET	445	49787	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:22.614039898 CET	445	49786	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:22.614106894 CET	49786	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:24.606280088 CET	49820	445	192.168.2.6	118.161.193.22
Jan 14, 2025 23:01:24.611212969 CET	445	49820	118.161.193.22	192.168.2.6
Jan 14, 2025 23:01:24.611299038 CET	49820	445	192.168.2.6	118.161.193.22
Jan 14, 2025 23:01:24.611401081 CET	49820	445	192.168.2.6	118.161.193.22
Jan 14, 2025 23:01:24.611646891 CET	49822	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.616497040 CET	445	49822	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:24.616580963 CET	49822	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.616633892 CET	49822	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.618069887 CET	49823	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.620959997 CET	445	49820	118.161.193.22	192.168.2.6
Jan 14, 2025 23:01:24.622914076 CET	445	49823	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:24.622973919 CET	49823	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.623018026 CET	49823	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.623723030 CET	445	49820	118.161.193.22	192.168.2.6
Jan 14, 2025 23:01:24.623784065 CET	49820	445	192.168.2.6	118.161.193.22
Jan 14, 2025 23:01:24.624007940 CET	445	49822	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:24.624056101 CET	49822	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:24.627952099 CET	445	49823	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:26.606740952 CET	49858	445	192.168.2.6	36.109.88.113
Jan 14, 2025 23:01:26.611624002 CET	445	49858	36.109.88.113	192.168.2.6
Jan 14, 2025 23:01:26.611720085 CET	49858	445	192.168.2.6	36.109.88.113
Jan 14, 2025 23:01:26.611743927 CET	49858	445	192.168.2.6	36.109.88.113
Jan 14, 2025 23:01:26.611901999 CET	49859	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.616764069 CET	445	49859	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:26.616797924 CET	445	49858	36.109.88.113	192.168.2.6
Jan 14, 2025 23:01:26.616838932 CET	49859	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.616849899 CET	49859	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.616869926 CET	49858	445	192.168.2.6	36.109.88.113
Jan 14, 2025 23:01:26.618298054 CET	49860	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.622988939 CET	445	49859	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:26.623069048 CET	49859	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.624119997 CET	445	49860	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:26.624193907 CET	49860	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.624263048 CET	49860	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:26.631429911 CET	445	49860	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:28.621831894 CET	49898	445	192.168.2.6	221.93.116.233
Jan 14, 2025 23:01:28.626816988 CET	445	49898	221.93.116.233	192.168.2.6
Jan 14, 2025 23:01:28.626916885 CET	49898	445	192.168.2.6	221.93.116.233
Jan 14, 2025 23:01:28.626955986 CET	49898	445	192.168.2.6	221.93.116.233
Jan 14, 2025 23:01:28.627113104 CET	49899	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:28.631983042 CET	445	49899	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:28.632091045 CET	445	49898	221.93.116.233	192.168.2.6
Jan 14, 2025 23:01:28.632245064 CET	49898	445	192.168.2.6	221.93.116.233
Jan 14, 2025 23:01:28.632673979 CET	49899	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:28.633214951 CET	49900	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:28.637686014 CET	445	49899	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:28.637758970 CET	49899	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:28.638052940 CET	445	49900	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:28.638128996 CET	49900	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:28.638200998 CET	49900	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:28.642996073 CET	445	49900	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:30.637623072 CET	49934	445	192.168.2.6	11.83.7.173
Jan 14, 2025 23:01:30.663753033 CET	445	49934	11.83.7.173	192.168.2.6
Jan 14, 2025 23:01:30.663820982 CET	49934	445	192.168.2.6	11.83.7.173
Jan 14, 2025 23:01:30.663893938 CET	49934	445	192.168.2.6	11.83.7.173
Jan 14, 2025 23:01:30.664141893 CET	49936	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.670078993 CET	445	49936	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:30.670253992 CET	49936	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.670412064 CET	49936	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.671307087 CET	445	49934	11.83.7.173	192.168.2.6
Jan 14, 2025 23:01:30.671343088 CET	49937	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.671360016 CET	49934	445	192.168.2.6	11.83.7.173
Jan 14, 2025 23:01:30.675185919 CET	445	49936	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:30.675234079 CET	49936	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.676192045 CET	445	49937	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:30.676255941 CET	49937	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.676296949 CET	49937	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:30.681046009 CET	445	49937	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:32.652945042 CET	49970	445	192.168.2.6	116.235.7.103
Jan 14, 2025 23:01:32.657735109 CET	445	49970	116.235.7.103	192.168.2.6
Jan 14, 2025 23:01:32.657810926 CET	49970	445	192.168.2.6	116.235.7.103
Jan 14, 2025 23:01:32.657867908 CET	49970	445	192.168.2.6	116.235.7.103
Jan 14, 2025 23:01:32.658045053 CET	49971	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.662727118 CET	445	49970	116.235.7.103	192.168.2.6
Jan 14, 2025 23:01:32.662800074 CET	445	49971	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:32.662807941 CET	49970	445	192.168.2.6	116.235.7.103
Jan 14, 2025 23:01:32.662939072 CET	49971	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.663008928 CET	49971	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.663479090 CET	49972	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.667830944 CET	445	49971	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:32.668210030 CET	445	49972	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:32.668240070 CET	49971	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.668303967 CET	49972	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.668303967 CET	49972	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:32.673103094 CET	445	49972	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:34.207115889 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:34.207170963 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:34.207350016 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:34.211369038 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:34.211396933 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:34.668879032 CET	50008	445	192.168.2.6	7.123.157.99
Jan 14, 2025 23:01:34.673727989 CET	445	50008	7.123.157.99	192.168.2.6
Jan 14, 2025 23:01:34.673815966 CET	50008	445	192.168.2.6	7.123.157.99
Jan 14, 2025 23:01:34.673855066 CET	50008	445	192.168.2.6	7.123.157.99
Jan 14, 2025 23:01:34.673974037 CET	50009	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.678720951 CET	445	50009	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:34.678759098 CET	445	50008	7.123.157.99	192.168.2.6
Jan 14, 2025 23:01:34.678786993 CET	50009	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.678800106 CET	50009	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.678817987 CET	50008	445	192.168.2.6	7.123.157.99
Jan 14, 2025 23:01:34.679073095 CET	50010	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.683692932 CET	445	50009	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:34.683758020 CET	50009	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.683834076 CET	445	50010	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:34.683907032 CET	50010	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.683965921 CET	50010	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:34.688738108 CET	445	50010	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:35.095088005 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.095176935 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.101949930 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.101965904 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.102713108 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.105010033 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.105906010 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.105912924 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.106098890 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.147326946 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.282227039 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.282448053 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:35.282514095 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.282619953 CET	49999	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:35.282636881 CET	443	49999	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:36.684174061 CET	50048	445	192.168.2.6	180.1.23.128
Jan 14, 2025 23:01:36.689055920 CET	445	50048	180.1.23.128	192.168.2.6
Jan 14, 2025 23:01:36.689157009 CET	50048	445	192.168.2.6	180.1.23.128
Jan 14, 2025 23:01:36.689191103 CET	50048	445	192.168.2.6	180.1.23.128
Jan 14, 2025 23:01:36.689357042 CET	50049	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.694150925 CET	445	50049	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:36.694236040 CET	50049	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.694259882 CET	445	50048	180.1.23.128	192.168.2.6
Jan 14, 2025 23:01:36.694268942 CET	50049	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.694323063 CET	50048	445	192.168.2.6	180.1.23.128
Jan 14, 2025 23:01:36.694820881 CET	50050	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.699203968 CET	445	50049	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:36.699269056 CET	50049	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.699812889 CET	445	50050	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:36.699925900 CET	50050	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.700234890 CET	50050	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:36.704943895 CET	445	50050	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:38.699748993 CET	50083	445	192.168.2.6	219.163.9.154
Jan 14, 2025 23:01:38.705173016 CET	445	50083	219.163.9.154	192.168.2.6
Jan 14, 2025 23:01:38.705338001 CET	50083	445	192.168.2.6	219.163.9.154
Jan 14, 2025 23:01:38.705338001 CET	50083	445	192.168.2.6	219.163.9.154
Jan 14, 2025 23:01:38.705516100 CET	50084	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.711915016 CET	445	50084	219.163.9.1	192.168.2.6
Jan 14, 2025 23:01:38.712033033 CET	50084	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.712064028 CET	445	50083	219.163.9.154	192.168.2.6
Jan 14, 2025 23:01:38.712104082 CET	50084	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.712163925 CET	50083	445	192.168.2.6	219.163.9.154
Jan 14, 2025 23:01:38.712306976 CET	50085	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.717042923 CET	445	50084	219.163.9.1	192.168.2.6
Jan 14, 2025 23:01:38.717101097 CET	445	50085	219.163.9.1	192.168.2.6
Jan 14, 2025 23:01:38.717143059 CET	50084	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.717279911 CET	50085	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.717294931 CET	50085	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:01:38.722109079 CET	445	50085	219.163.9.1	192.168.2.6
Jan 14, 2025 23:01:40.735328913 CET	50119	445	192.168.2.6	2.141.195.198
Jan 14, 2025 23:01:40.740185976 CET	445	50119	2.141.195.198	192.168.2.6
Jan 14, 2025 23:01:40.740262985 CET	50119	445	192.168.2.6	2.141.195.198
Jan 14, 2025 23:01:40.740313053 CET	50119	445	192.168.2.6	2.141.195.198
Jan 14, 2025 23:01:40.740475893 CET	50120	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.745389938 CET	445	50120	2.141.195.1	192.168.2.6
Jan 14, 2025 23:01:40.745423079 CET	445	50119	2.141.195.198	192.168.2.6
Jan 14, 2025 23:01:40.745456934 CET	50120	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.745479107 CET	50119	445	192.168.2.6	2.141.195.198
Jan 14, 2025 23:01:40.747615099 CET	50120	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.748294115 CET	50121	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.753241062 CET	445	50121	2.141.195.1	192.168.2.6
Jan 14, 2025 23:01:40.753294945 CET	445	50120	2.141.195.1	192.168.2.6
Jan 14, 2025 23:01:40.753302097 CET	50121	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.753348112 CET	50120	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.755907059 CET	50121	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:01:40.760766983 CET	445	50121	2.141.195.1	192.168.2.6
Jan 14, 2025 23:01:41.980011940 CET	445	49751	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:41.980283976 CET	49751	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:41.980307102 CET	49751	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:41.980364084 CET	49751	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:41.985075951 CET	445	49751	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:41.985119104 CET	445	49751	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:42.747098923 CET	50155	445	192.168.2.6	35.223.142.180
Jan 14, 2025 23:01:42.751894951 CET	445	50155	35.223.142.180	192.168.2.6
Jan 14, 2025 23:01:42.751975060 CET	50155	445	192.168.2.6	35.223.142.180
Jan 14, 2025 23:01:42.752053976 CET	50155	445	192.168.2.6	35.223.142.180
Jan 14, 2025 23:01:42.752245903 CET	50156	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.756942034 CET	445	50155	35.223.142.180	192.168.2.6
Jan 14, 2025 23:01:42.756997108 CET	445	50156	35.223.142.1	192.168.2.6
Jan 14, 2025 23:01:42.756998062 CET	50155	445	192.168.2.6	35.223.142.180
Jan 14, 2025 23:01:42.757055998 CET	50156	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.757138014 CET	50156	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.757431030 CET	50157	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.761965990 CET	445	50156	35.223.142.1	192.168.2.6
Jan 14, 2025 23:01:42.762013912 CET	50156	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.762273073 CET	445	50157	35.223.142.1	192.168.2.6
Jan 14, 2025 23:01:42.762331963 CET	50157	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.762355089 CET	50157	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:01:42.767148972 CET	445	50157	35.223.142.1	192.168.2.6
Jan 14, 2025 23:01:43.983819962 CET	445	49787	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:43.983942986 CET	49787	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:43.984061003 CET	49787	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:43.984169960 CET	49787	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:43.988807917 CET	445	49787	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:43.988923073 CET	445	49787	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:44.762543917 CET	50193	445	192.168.2.6	178.158.238.185
Jan 14, 2025 23:01:44.767390013 CET	445	50193	178.158.238.185	192.168.2.6
Jan 14, 2025 23:01:44.767529011 CET	50193	445	192.168.2.6	178.158.238.185
Jan 14, 2025 23:01:44.767560959 CET	50193	445	192.168.2.6	178.158.238.185
Jan 14, 2025 23:01:44.767777920 CET	50194	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.772625923 CET	445	50193	178.158.238.185	192.168.2.6
Jan 14, 2025 23:01:44.772644997 CET	445	50194	178.158.238.1	192.168.2.6
Jan 14, 2025 23:01:44.772737026 CET	50193	445	192.168.2.6	178.158.238.185
Jan 14, 2025 23:01:44.772799969 CET	50194	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.772960901 CET	50194	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.773346901 CET	50195	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.777728081 CET	445	50194	178.158.238.1	192.168.2.6
Jan 14, 2025 23:01:44.777787924 CET	50194	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.778100967 CET	445	50195	178.158.238.1	192.168.2.6
Jan 14, 2025 23:01:44.778156042 CET	50195	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.778170109 CET	50195	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:01:44.782989025 CET	445	50195	178.158.238.1	192.168.2.6
Jan 14, 2025 23:01:44.980879068 CET	50199	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:44.985769033 CET	445	50199	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:44.988311052 CET	50199	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:44.988384962 CET	50199	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:01:44.993144035 CET	445	50199	100.32.218.1	192.168.2.6
Jan 14, 2025 23:01:45.997560978 CET	445	49823	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:45.997628927 CET	49823	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:46.018091917 CET	49823	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:46.018162966 CET	49823	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:46.022850037 CET	445	49823	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:46.022880077 CET	445	49823	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:46.778225899 CET	50212	445	192.168.2.6	174.39.175.208
Jan 14, 2025 23:01:46.783056021 CET	445	50212	174.39.175.208	192.168.2.6
Jan 14, 2025 23:01:46.783123970 CET	50212	445	192.168.2.6	174.39.175.208
Jan 14, 2025 23:01:46.783160925 CET	50212	445	192.168.2.6	174.39.175.208
Jan 14, 2025 23:01:46.783356905 CET	50213	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.788145065 CET	445	50213	174.39.175.1	192.168.2.6
Jan 14, 2025 23:01:46.788158894 CET	445	50212	174.39.175.208	192.168.2.6
Jan 14, 2025 23:01:46.788214922 CET	50212	445	192.168.2.6	174.39.175.208
Jan 14, 2025 23:01:46.788233042 CET	50213	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.788399935 CET	50213	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.788578033 CET	50214	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.793292046 CET	445	50213	174.39.175.1	192.168.2.6
Jan 14, 2025 23:01:46.793344021 CET	50213	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.793378115 CET	445	50214	174.39.175.1	192.168.2.6
Jan 14, 2025 23:01:46.793436050 CET	50214	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.793481112 CET	50214	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:01:46.798332930 CET	445	50214	174.39.175.1	192.168.2.6
Jan 14, 2025 23:01:46.996562958 CET	50215	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:47.001343966 CET	445	50215	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:47.001441956 CET	50215	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:47.001461029 CET	50215	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:01:47.006221056 CET	445	50215	17.84.70.1	192.168.2.6
Jan 14, 2025 23:01:47.995194912 CET	445	49860	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:47.995294094 CET	49860	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:47.995352983 CET	49860	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:47.995384932 CET	49860	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:48.000127077 CET	445	49860	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:48.000174999 CET	445	49860	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:48.836086035 CET	50224	445	192.168.2.6	168.51.130.6
Jan 14, 2025 23:01:48.840869904 CET	445	50224	168.51.130.6	192.168.2.6
Jan 14, 2025 23:01:48.840935946 CET	50224	445	192.168.2.6	168.51.130.6
Jan 14, 2025 23:01:48.841038942 CET	50224	445	192.168.2.6	168.51.130.6
Jan 14, 2025 23:01:48.841191053 CET	50226	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.845837116 CET	445	50224	168.51.130.6	192.168.2.6
Jan 14, 2025 23:01:48.845911026 CET	50224	445	192.168.2.6	168.51.130.6
Jan 14, 2025 23:01:48.845961094 CET	445	50226	168.51.130.1	192.168.2.6
Jan 14, 2025 23:01:48.846024990 CET	50226	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.846110106 CET	50226	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.848079920 CET	50227	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.850991011 CET	445	50226	168.51.130.1	192.168.2.6
Jan 14, 2025 23:01:48.851052999 CET	50226	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.852874041 CET	445	50227	168.51.130.1	192.168.2.6
Jan 14, 2025 23:01:48.852938890 CET	50227	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.852998972 CET	50227	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:01:48.857727051 CET	445	50227	168.51.130.1	192.168.2.6
Jan 14, 2025 23:01:49.031090021 CET	50229	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:49.035825968 CET	445	50229	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:49.035898924 CET	50229	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:49.035937071 CET	50229	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:01:49.040693045 CET	445	50229	118.161.193.1	192.168.2.6
Jan 14, 2025 23:01:49.995889902 CET	445	49900	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:49.995963097 CET	49900	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:49.996172905 CET	49900	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:49.996172905 CET	49900	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:50.001040936 CET	445	49900	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:50.001050949 CET	445	49900	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:50.842387915 CET	50237	445	192.168.2.6	138.174.49.236
Jan 14, 2025 23:01:50.847270012 CET	445	50237	138.174.49.236	192.168.2.6
Jan 14, 2025 23:01:50.849837065 CET	50237	445	192.168.2.6	138.174.49.236
Jan 14, 2025 23:01:50.849910975 CET	50237	445	192.168.2.6	138.174.49.236
Jan 14, 2025 23:01:50.850111961 CET	50238	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.854758024 CET	445	50237	138.174.49.236	192.168.2.6
Jan 14, 2025 23:01:50.854845047 CET	445	50238	138.174.49.1	192.168.2.6
Jan 14, 2025 23:01:50.854926109 CET	50237	445	192.168.2.6	138.174.49.236
Jan 14, 2025 23:01:50.854963064 CET	50238	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.855009079 CET	50238	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.855323076 CET	50239	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.859914064 CET	445	50238	138.174.49.1	192.168.2.6
Jan 14, 2025 23:01:50.860117912 CET	445	50239	138.174.49.1	192.168.2.6
Jan 14, 2025 23:01:50.860227108 CET	50238	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.860264063 CET	50239	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.860316992 CET	50239	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:01:50.865101099 CET	445	50239	138.174.49.1	192.168.2.6
Jan 14, 2025 23:01:50.997029066 CET	50240	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:51.001792908 CET	445	50240	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:51.005872965 CET	50240	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:51.005872965 CET	50240	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:01:51.010668039 CET	445	50240	36.109.88.1	192.168.2.6
Jan 14, 2025 23:01:52.124877930 CET	445	49937	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:52.124958038 CET	49937	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:52.125041962 CET	49937	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:52.125121117 CET	49937	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:52.129853964 CET	445	49937	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:52.129868984 CET	445	49937	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:52.857053041 CET	50252	445	192.168.2.6	31.23.132.77
Jan 14, 2025 23:01:52.861886978 CET	445	50252	31.23.132.77	192.168.2.6
Jan 14, 2025 23:01:52.862093925 CET	50252	445	192.168.2.6	31.23.132.77
Jan 14, 2025 23:01:52.862360001 CET	50252	445	192.168.2.6	31.23.132.77
Jan 14, 2025 23:01:52.862725973 CET	50253	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.867302895 CET	445	50252	31.23.132.77	192.168.2.6
Jan 14, 2025 23:01:52.867403030 CET	50252	445	192.168.2.6	31.23.132.77
Jan 14, 2025 23:01:52.867577076 CET	445	50253	31.23.132.1	192.168.2.6
Jan 14, 2025 23:01:52.867655039 CET	50253	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.867708921 CET	50253	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.868180990 CET	50254	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.872782946 CET	445	50253	31.23.132.1	192.168.2.6
Jan 14, 2025 23:01:52.872849941 CET	50253	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.872987986 CET	445	50254	31.23.132.1	192.168.2.6
Jan 14, 2025 23:01:52.873061895 CET	50254	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.873099089 CET	50254	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:01:52.877897978 CET	445	50254	31.23.132.1	192.168.2.6
Jan 14, 2025 23:01:52.996952057 CET	50256	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:53.001766920 CET	445	50256	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:53.001979113 CET	50256	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:53.002088070 CET	50256	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:01:53.006833076 CET	445	50256	221.93.116.1	192.168.2.6
Jan 14, 2025 23:01:54.042896986 CET	445	49972	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:54.043162107 CET	49972	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:54.043328047 CET	49972	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:54.043498039 CET	49972	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:54.048135996 CET	445	49972	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:54.048316002 CET	445	49972	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:54.872432947 CET	50269	445	192.168.2.6	184.175.83.95
Jan 14, 2025 23:01:54.877268076 CET	445	50269	184.175.83.95	192.168.2.6
Jan 14, 2025 23:01:54.877340078 CET	50269	445	192.168.2.6	184.175.83.95
Jan 14, 2025 23:01:54.877355099 CET	50269	445	192.168.2.6	184.175.83.95
Jan 14, 2025 23:01:54.877482891 CET	50270	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.882270098 CET	445	50270	184.175.83.1	192.168.2.6
Jan 14, 2025 23:01:54.882344007 CET	50270	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.882369995 CET	445	50269	184.175.83.95	192.168.2.6
Jan 14, 2025 23:01:54.882426977 CET	50269	445	192.168.2.6	184.175.83.95
Jan 14, 2025 23:01:54.882479906 CET	50270	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.882690907 CET	50271	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.887361050 CET	445	50270	184.175.83.1	192.168.2.6
Jan 14, 2025 23:01:54.887428045 CET	50270	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.887496948 CET	445	50271	184.175.83.1	192.168.2.6
Jan 14, 2025 23:01:54.887558937 CET	50271	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.887573957 CET	50271	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:01:54.892395973 CET	445	50271	184.175.83.1	192.168.2.6
Jan 14, 2025 23:01:55.137409925 CET	50274	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:55.142200947 CET	445	50274	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:55.142262936 CET	50274	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:55.142308950 CET	50274	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:01:55.147053957 CET	445	50274	11.83.7.1	192.168.2.6
Jan 14, 2025 23:01:56.045075893 CET	445	50010	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:56.045156002 CET	50010	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:56.045202017 CET	50010	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:56.045226097 CET	50010	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:56.051187992 CET	445	50010	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:56.051218987 CET	445	50010	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:56.747571945 CET	50285	445	192.168.2.6	22.174.74.153
Jan 14, 2025 23:01:56.752461910 CET	445	50285	22.174.74.153	192.168.2.6
Jan 14, 2025 23:01:56.752554893 CET	50285	445	192.168.2.6	22.174.74.153
Jan 14, 2025 23:01:56.752571106 CET	50285	445	192.168.2.6	22.174.74.153
Jan 14, 2025 23:01:56.752721071 CET	50286	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.757659912 CET	445	50286	22.174.74.1	192.168.2.6
Jan 14, 2025 23:01:56.757699966 CET	445	50285	22.174.74.153	192.168.2.6
Jan 14, 2025 23:01:56.757731915 CET	50286	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.757757902 CET	50286	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.757775068 CET	50285	445	192.168.2.6	22.174.74.153
Jan 14, 2025 23:01:56.758043051 CET	50287	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.762751102 CET	445	50286	22.174.74.1	192.168.2.6
Jan 14, 2025 23:01:56.762806892 CET	50286	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.762881994 CET	445	50287	22.174.74.1	192.168.2.6
Jan 14, 2025 23:01:56.762944937 CET	50287	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.762988091 CET	50287	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:01:56.767797947 CET	445	50287	22.174.74.1	192.168.2.6
Jan 14, 2025 23:01:56.895929098 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:56.895984888 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:56.896296024 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:56.896802902 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:56.896842003 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.044147968 CET	50289	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:57.112576008 CET	445	50289	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:57.112628937 CET	50289	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:57.112673044 CET	50289	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:01:57.153599977 CET	445	50289	116.235.7.1	192.168.2.6
Jan 14, 2025 23:01:57.735656977 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.735986948 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:57.737998962 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:57.738029003 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.738832951 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.742436886 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:57.742505074 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:57.742516994 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.742635965 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:57.787331104 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.920133114 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.920257092 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.920648098 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:57.920695066 CET	443	50288	40.113.103.199	192.168.2.6
Jan 14, 2025 23:01:57.920725107 CET	50288	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:01:58.059525967 CET	445	50050	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:58.062057972 CET	50050	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:58.062058926 CET	50050	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:58.062155008 CET	50050	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:01:58.066941023 CET	445	50050	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:58.066984892 CET	445	50050	180.1.23.1	192.168.2.6
Jan 14, 2025 23:01:58.497195005 CET	50300	445	192.168.2.6	62.43.202.124
Jan 14, 2025 23:01:58.502079010 CET	445	50300	62.43.202.124	192.168.2.6
Jan 14, 2025 23:01:58.502177000 CET	50300	445	192.168.2.6	62.43.202.124
Jan 14, 2025 23:01:58.502232075 CET	50300	445	192.168.2.6	62.43.202.124
Jan 14, 2025 23:01:58.502373934 CET	50301	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.507164955 CET	445	50300	62.43.202.124	192.168.2.6
Jan 14, 2025 23:01:58.507220984 CET	445	50301	62.43.202.1	192.168.2.6
Jan 14, 2025 23:01:58.507236004 CET	50300	445	192.168.2.6	62.43.202.124
Jan 14, 2025 23:01:58.507296085 CET	50301	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.507355928 CET	50301	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.507556915 CET	50302	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.512470961 CET	445	50302	62.43.202.1	192.168.2.6
Jan 14, 2025 23:01:58.512554884 CET	50302	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.512572050 CET	50302	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.512617111 CET	445	50301	62.43.202.1	192.168.2.6
Jan 14, 2025 23:01:58.512690067 CET	50301	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:01:58.517441988 CET	445	50302	62.43.202.1	192.168.2.6
Jan 14, 2025 23:01:59.059433937 CET	50308	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:59.064588070 CET	445	50308	7.123.157.1	192.168.2.6
Jan 14, 2025 23:01:59.066065073 CET	50308	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:59.066102982 CET	50308	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:01:59.070873976 CET	445	50308	7.123.157.1	192.168.2.6
Jan 14, 2025 23:02:00.090982914 CET	445	50085	219.163.9.1	192.168.2.6
Jan 14, 2025 23:02:00.091051102 CET	50085	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:00.091092110 CET	50085	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:00.091134071 CET	50085	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:00.095933914 CET	445	50085	219.163.9.1	192.168.2.6
Jan 14, 2025 23:02:00.095943928 CET	445	50085	219.163.9.1	192.168.2.6
Jan 14, 2025 23:02:00.138689995 CET	50314	445	192.168.2.6	190.125.139.32
Jan 14, 2025 23:02:00.143601894 CET	445	50314	190.125.139.32	192.168.2.6
Jan 14, 2025 23:02:00.143754005 CET	50314	445	192.168.2.6	190.125.139.32
Jan 14, 2025 23:02:00.149751902 CET	50314	445	192.168.2.6	190.125.139.32
Jan 14, 2025 23:02:00.150322914 CET	50315	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.155117989 CET	445	50315	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:00.155297995 CET	50315	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.155388117 CET	50315	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.155705929 CET	445	50314	190.125.139.32	192.168.2.6
Jan 14, 2025 23:02:00.155771017 CET	50316	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.155771971 CET	50314	445	192.168.2.6	190.125.139.32
Jan 14, 2025 23:02:00.160317898 CET	445	50315	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:00.160376072 CET	50315	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.160592079 CET	445	50316	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:00.160664082 CET	50316	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.160696983 CET	50316	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:00.165448904 CET	445	50316	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:00.403244972 CET	445	50302	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:00.403420925 CET	50302	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:00.403459072 CET	50302	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:00.403513908 CET	50302	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:00.408294916 CET	445	50302	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:00.408305883 CET	445	50302	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:01.075433969 CET	50319	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:02:01.080212116 CET	445	50319	180.1.23.1	192.168.2.6
Jan 14, 2025 23:02:01.080279112 CET	50319	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:02:01.080324888 CET	50319	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:02:01.085072994 CET	445	50319	180.1.23.1	192.168.2.6
Jan 14, 2025 23:02:01.669331074 CET	50320	445	192.168.2.6	12.2.240.16
Jan 14, 2025 23:02:01.674274921 CET	445	50320	12.2.240.16	192.168.2.6
Jan 14, 2025 23:02:01.674370050 CET	50320	445	192.168.2.6	12.2.240.16
Jan 14, 2025 23:02:01.674436092 CET	50320	445	192.168.2.6	12.2.240.16
Jan 14, 2025 23:02:01.674530029 CET	50321	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.679354906 CET	445	50321	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:01.679550886 CET	445	50320	12.2.240.16	192.168.2.6
Jan 14, 2025 23:02:01.679596901 CET	50321	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.679596901 CET	50321	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.679615974 CET	50320	445	192.168.2.6	12.2.240.16
Jan 14, 2025 23:02:01.679694891 CET	50322	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.684537888 CET	445	50322	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:01.684602976 CET	50322	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.684624910 CET	50322	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.684712887 CET	445	50321	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:01.684772015 CET	50321	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:01.689492941 CET	445	50322	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:02.137196064 CET	445	50121	2.141.195.1	192.168.2.6
Jan 14, 2025 23:02:02.137356043 CET	50121	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:02.137399912 CET	50121	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:02.137459993 CET	50121	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:02.142242908 CET	445	50121	2.141.195.1	192.168.2.6
Jan 14, 2025 23:02:02.142275095 CET	445	50121	2.141.195.1	192.168.2.6
Jan 14, 2025 23:02:03.091274023 CET	50323	445	192.168.2.6	170.88.223.82
Jan 14, 2025 23:02:03.106499910 CET	50324	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:03.130100012 CET	445	50323	170.88.223.82	192.168.2.6
Jan 14, 2025 23:02:03.130136967 CET	445	50324	219.163.9.1	192.168.2.6
Jan 14, 2025 23:02:03.130214930 CET	50323	445	192.168.2.6	170.88.223.82
Jan 14, 2025 23:02:03.130373955 CET	50323	445	192.168.2.6	170.88.223.82
Jan 14, 2025 23:02:03.130373955 CET	50324	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:03.130501986 CET	50324	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:03.130551100 CET	50325	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.137290955 CET	445	50324	219.163.9.1	192.168.2.6
Jan 14, 2025 23:02:03.137353897 CET	445	50325	170.88.223.1	192.168.2.6
Jan 14, 2025 23:02:03.137417078 CET	50325	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.137459993 CET	50325	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.137918949 CET	50326	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.138952017 CET	445	50323	170.88.223.82	192.168.2.6
Jan 14, 2025 23:02:03.139012098 CET	50323	445	192.168.2.6	170.88.223.82
Jan 14, 2025 23:02:03.142688990 CET	445	50326	170.88.223.1	192.168.2.6
Jan 14, 2025 23:02:03.142769098 CET	50326	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.142802000 CET	50326	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.143371105 CET	445	50325	170.88.223.1	192.168.2.6
Jan 14, 2025 23:02:03.143450975 CET	50325	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:03.147613049 CET	445	50326	170.88.223.1	192.168.2.6
Jan 14, 2025 23:02:03.419153929 CET	50327	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:03.424292088 CET	445	50327	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:03.424554110 CET	50327	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:03.424705982 CET	50327	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:03.429605961 CET	445	50327	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:04.106009007 CET	445	50157	35.223.142.1	192.168.2.6
Jan 14, 2025 23:02:04.106098890 CET	50157	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:04.106173992 CET	50157	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:04.106220007 CET	50157	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:04.110927105 CET	445	50157	35.223.142.1	192.168.2.6
Jan 14, 2025 23:02:04.111001015 CET	445	50157	35.223.142.1	192.168.2.6
Jan 14, 2025 23:02:04.419377089 CET	50328	445	192.168.2.6	137.206.81.3
Jan 14, 2025 23:02:04.424196005 CET	445	50328	137.206.81.3	192.168.2.6
Jan 14, 2025 23:02:04.424314976 CET	50328	445	192.168.2.6	137.206.81.3
Jan 14, 2025 23:02:04.424360037 CET	50328	445	192.168.2.6	137.206.81.3
Jan 14, 2025 23:02:04.424597025 CET	50329	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.429332972 CET	445	50329	137.206.81.1	192.168.2.6
Jan 14, 2025 23:02:04.429379940 CET	445	50328	137.206.81.3	192.168.2.6
Jan 14, 2025 23:02:04.429404974 CET	50329	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.429454088 CET	50328	445	192.168.2.6	137.206.81.3
Jan 14, 2025 23:02:04.429546118 CET	50329	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.429867983 CET	50330	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.434628010 CET	445	50330	137.206.81.1	192.168.2.6
Jan 14, 2025 23:02:04.434699059 CET	50330	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.434731960 CET	50330	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.434753895 CET	445	50329	137.206.81.1	192.168.2.6
Jan 14, 2025 23:02:04.434812069 CET	50329	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:04.439475060 CET	445	50330	137.206.81.1	192.168.2.6
Jan 14, 2025 23:02:05.153517962 CET	50331	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:05.158375978 CET	445	50331	2.141.195.1	192.168.2.6
Jan 14, 2025 23:02:05.158474922 CET	50331	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:05.158534050 CET	50331	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:05.163356066 CET	445	50331	2.141.195.1	192.168.2.6
Jan 14, 2025 23:02:05.180386066 CET	445	50327	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:05.180478096 CET	50327	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:05.180638075 CET	50327	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:05.180638075 CET	50327	445	192.168.2.6	62.43.202.1
Jan 14, 2025 23:02:05.185525894 CET	445	50327	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:05.185556889 CET	445	50327	62.43.202.1	192.168.2.6
Jan 14, 2025 23:02:05.231719971 CET	50332	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.237154007 CET	445	50332	62.43.202.2	192.168.2.6
Jan 14, 2025 23:02:05.237270117 CET	50332	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.237332106 CET	50332	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.237781048 CET	50333	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.242223978 CET	445	50332	62.43.202.2	192.168.2.6
Jan 14, 2025 23:02:05.242465973 CET	445	50332	62.43.202.2	192.168.2.6
Jan 14, 2025 23:02:05.242527962 CET	50332	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.242686033 CET	445	50333	62.43.202.2	192.168.2.6
Jan 14, 2025 23:02:05.242765903 CET	50333	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.242813110 CET	50333	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:05.247623920 CET	445	50333	62.43.202.2	192.168.2.6
Jan 14, 2025 23:02:05.657192945 CET	50334	445	192.168.2.6	184.207.137.141
Jan 14, 2025 23:02:05.662076950 CET	445	50334	184.207.137.141	192.168.2.6
Jan 14, 2025 23:02:05.662192106 CET	50334	445	192.168.2.6	184.207.137.141
Jan 14, 2025 23:02:05.662277937 CET	50334	445	192.168.2.6	184.207.137.141
Jan 14, 2025 23:02:05.667150974 CET	445	50334	184.207.137.141	192.168.2.6
Jan 14, 2025 23:02:05.667248011 CET	50334	445	192.168.2.6	184.207.137.141
Jan 14, 2025 23:02:05.670063972 CET	50335	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.674953938 CET	445	50335	184.207.137.1	192.168.2.6
Jan 14, 2025 23:02:05.675152063 CET	50335	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.675183058 CET	50335	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.675623894 CET	50336	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.680224895 CET	445	50335	184.207.137.1	192.168.2.6
Jan 14, 2025 23:02:05.680300951 CET	50335	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.680430889 CET	445	50336	184.207.137.1	192.168.2.6
Jan 14, 2025 23:02:05.680500984 CET	50336	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.680561066 CET	50336	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:05.685314894 CET	445	50336	184.207.137.1	192.168.2.6
Jan 14, 2025 23:02:06.153060913 CET	445	50195	178.158.238.1	192.168.2.6
Jan 14, 2025 23:02:06.153477907 CET	50195	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:06.153477907 CET	50195	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:06.153533936 CET	50195	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:06.158571959 CET	445	50195	178.158.238.1	192.168.2.6
Jan 14, 2025 23:02:06.158592939 CET	445	50195	178.158.238.1	192.168.2.6
Jan 14, 2025 23:02:06.373815060 CET	445	50199	100.32.218.1	192.168.2.6
Jan 14, 2025 23:02:06.373918056 CET	50199	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:02:06.374001026 CET	50199	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:02:06.374077082 CET	50199	445	192.168.2.6	100.32.218.1
Jan 14, 2025 23:02:06.378747940 CET	445	50199	100.32.218.1	192.168.2.6
Jan 14, 2025 23:02:06.378843069 CET	445	50199	100.32.218.1	192.168.2.6
Jan 14, 2025 23:02:06.440587997 CET	50337	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.445471048 CET	445	50337	100.32.218.2	192.168.2.6
Jan 14, 2025 23:02:06.445553064 CET	50337	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.445624113 CET	50337	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.446057081 CET	50338	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.450500011 CET	445	50337	100.32.218.2	192.168.2.6
Jan 14, 2025 23:02:06.450556993 CET	50337	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.450833082 CET	445	50338	100.32.218.2	192.168.2.6
Jan 14, 2025 23:02:06.450982094 CET	50338	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.450982094 CET	50338	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:06.455746889 CET	445	50338	100.32.218.2	192.168.2.6
Jan 14, 2025 23:02:06.841007948 CET	50339	445	192.168.2.6	53.26.1.45
Jan 14, 2025 23:02:06.845851898 CET	445	50339	53.26.1.45	192.168.2.6
Jan 14, 2025 23:02:06.845941067 CET	50339	445	192.168.2.6	53.26.1.45
Jan 14, 2025 23:02:06.849718094 CET	50339	445	192.168.2.6	53.26.1.45
Jan 14, 2025 23:02:06.849924088 CET	50340	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.854562998 CET	445	50339	53.26.1.45	192.168.2.6
Jan 14, 2025 23:02:06.854633093 CET	50339	445	192.168.2.6	53.26.1.45
Jan 14, 2025 23:02:06.854674101 CET	445	50340	53.26.1.1	192.168.2.6
Jan 14, 2025 23:02:06.854737043 CET	50340	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.856781960 CET	50340	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.857248068 CET	50341	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.861576080 CET	445	50340	53.26.1.1	192.168.2.6
Jan 14, 2025 23:02:06.861634016 CET	50340	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.862068892 CET	445	50341	53.26.1.1	192.168.2.6
Jan 14, 2025 23:02:06.862122059 CET	50341	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.862138033 CET	50341	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:06.866889954 CET	445	50341	53.26.1.1	192.168.2.6
Jan 14, 2025 23:02:07.123140097 CET	50342	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:07.128504992 CET	445	50342	35.223.142.1	192.168.2.6
Jan 14, 2025 23:02:07.128577948 CET	50342	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:07.128618956 CET	50342	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:07.133579969 CET	445	50342	35.223.142.1	192.168.2.6
Jan 14, 2025 23:02:07.919492960 CET	50344	445	192.168.2.6	104.53.109.195
Jan 14, 2025 23:02:07.924335957 CET	445	50344	104.53.109.195	192.168.2.6
Jan 14, 2025 23:02:07.924443007 CET	50344	445	192.168.2.6	104.53.109.195
Jan 14, 2025 23:02:07.924474955 CET	50344	445	192.168.2.6	104.53.109.195
Jan 14, 2025 23:02:07.924571037 CET	50345	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.929375887 CET	445	50345	104.53.109.1	192.168.2.6
Jan 14, 2025 23:02:07.929450989 CET	50345	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.929472923 CET	50345	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.929517031 CET	445	50344	104.53.109.195	192.168.2.6
Jan 14, 2025 23:02:07.929867983 CET	50346	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.929896116 CET	50344	445	192.168.2.6	104.53.109.195
Jan 14, 2025 23:02:07.934497118 CET	445	50345	104.53.109.1	192.168.2.6
Jan 14, 2025 23:02:07.934636116 CET	50345	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.934720993 CET	445	50346	104.53.109.1	192.168.2.6
Jan 14, 2025 23:02:07.934812069 CET	50346	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.934812069 CET	50346	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:07.939677954 CET	445	50346	104.53.109.1	192.168.2.6
Jan 14, 2025 23:02:08.169519901 CET	445	50214	174.39.175.1	192.168.2.6
Jan 14, 2025 23:02:08.170511007 CET	50214	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:08.170511961 CET	50214	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:08.170511961 CET	50214	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:08.175568104 CET	445	50214	174.39.175.1	192.168.2.6
Jan 14, 2025 23:02:08.175602913 CET	445	50214	174.39.175.1	192.168.2.6
Jan 14, 2025 23:02:08.376051903 CET	445	50215	17.84.70.1	192.168.2.6
Jan 14, 2025 23:02:08.376136065 CET	50215	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:02:08.376266956 CET	50215	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:02:08.376398087 CET	50215	445	192.168.2.6	17.84.70.1
Jan 14, 2025 23:02:08.381102085 CET	445	50215	17.84.70.1	192.168.2.6
Jan 14, 2025 23:02:08.381186962 CET	445	50215	17.84.70.1	192.168.2.6
Jan 14, 2025 23:02:08.434849024 CET	50347	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.439723969 CET	445	50347	17.84.70.2	192.168.2.6
Jan 14, 2025 23:02:08.439815044 CET	50347	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.439887047 CET	50347	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.440270901 CET	50348	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.444817066 CET	445	50347	17.84.70.2	192.168.2.6
Jan 14, 2025 23:02:08.444888115 CET	50347	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.445120096 CET	445	50348	17.84.70.2	192.168.2.6
Jan 14, 2025 23:02:08.445198059 CET	50348	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.445234060 CET	50348	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:08.450076103 CET	445	50348	17.84.70.2	192.168.2.6
Jan 14, 2025 23:02:08.935206890 CET	50349	445	192.168.2.6	60.78.186.191
Jan 14, 2025 23:02:08.940218925 CET	445	50349	60.78.186.191	192.168.2.6
Jan 14, 2025 23:02:08.940291882 CET	50349	445	192.168.2.6	60.78.186.191
Jan 14, 2025 23:02:08.940320015 CET	50349	445	192.168.2.6	60.78.186.191
Jan 14, 2025 23:02:08.940454006 CET	50350	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.945393085 CET	445	50350	60.78.186.1	192.168.2.6
Jan 14, 2025 23:02:08.945456982 CET	50350	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.945494890 CET	50350	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.945671082 CET	445	50349	60.78.186.191	192.168.2.6
Jan 14, 2025 23:02:08.945729971 CET	50349	445	192.168.2.6	60.78.186.191
Jan 14, 2025 23:02:08.945839882 CET	50351	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.950472116 CET	445	50350	60.78.186.1	192.168.2.6
Jan 14, 2025 23:02:08.950520039 CET	50350	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.950603962 CET	445	50351	60.78.186.1	192.168.2.6
Jan 14, 2025 23:02:08.950665951 CET	50351	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.950726986 CET	50351	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:08.955594063 CET	445	50351	60.78.186.1	192.168.2.6
Jan 14, 2025 23:02:09.169703960 CET	50352	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:09.174974918 CET	445	50352	178.158.238.1	192.168.2.6
Jan 14, 2025 23:02:09.175192118 CET	50352	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:09.175357103 CET	50352	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:09.180242062 CET	445	50352	178.158.238.1	192.168.2.6
Jan 14, 2025 23:02:09.873033047 CET	50353	445	192.168.2.6	126.128.51.225
Jan 14, 2025 23:02:09.878065109 CET	445	50353	126.128.51.225	192.168.2.6
Jan 14, 2025 23:02:09.878196955 CET	50353	445	192.168.2.6	126.128.51.225
Jan 14, 2025 23:02:09.881055117 CET	50353	445	192.168.2.6	126.128.51.225
Jan 14, 2025 23:02:09.881321907 CET	50354	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.885910034 CET	445	50353	126.128.51.225	192.168.2.6
Jan 14, 2025 23:02:09.886102915 CET	50353	445	192.168.2.6	126.128.51.225
Jan 14, 2025 23:02:09.886172056 CET	445	50354	126.128.51.1	192.168.2.6
Jan 14, 2025 23:02:09.886248112 CET	50354	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.886260033 CET	50354	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.886639118 CET	50355	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.891222000 CET	445	50354	126.128.51.1	192.168.2.6
Jan 14, 2025 23:02:09.891288996 CET	50354	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.892003059 CET	445	50355	126.128.51.1	192.168.2.6
Jan 14, 2025 23:02:09.892065048 CET	50355	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.892086983 CET	50355	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:09.896960020 CET	445	50355	126.128.51.1	192.168.2.6
Jan 14, 2025 23:02:10.215899944 CET	445	50227	168.51.130.1	192.168.2.6
Jan 14, 2025 23:02:10.216027021 CET	50227	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:10.216027021 CET	50227	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:10.216121912 CET	50227	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:10.221009016 CET	445	50227	168.51.130.1	192.168.2.6
Jan 14, 2025 23:02:10.221092939 CET	445	50227	168.51.130.1	192.168.2.6
Jan 14, 2025 23:02:10.403239012 CET	445	50229	118.161.193.1	192.168.2.6
Jan 14, 2025 23:02:10.403445005 CET	50229	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:02:10.403605938 CET	50229	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:02:10.403673887 CET	50229	445	192.168.2.6	118.161.193.1
Jan 14, 2025 23:02:10.408396006 CET	445	50229	118.161.193.1	192.168.2.6
Jan 14, 2025 23:02:10.408461094 CET	445	50229	118.161.193.1	192.168.2.6
Jan 14, 2025 23:02:10.466556072 CET	50356	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.473037958 CET	445	50356	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:10.473170042 CET	50356	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.473242998 CET	50356	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.473772049 CET	50357	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.478359938 CET	445	50356	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:10.478708982 CET	445	50357	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:10.478787899 CET	50357	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.478827953 CET	50357	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.480952978 CET	445	50356	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:10.481023073 CET	50356	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:10.483589888 CET	445	50357	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:10.747750044 CET	50358	445	192.168.2.6	220.125.197.195
Jan 14, 2025 23:02:10.752648115 CET	445	50358	220.125.197.195	192.168.2.6
Jan 14, 2025 23:02:10.752726078 CET	50358	445	192.168.2.6	220.125.197.195
Jan 14, 2025 23:02:10.752748013 CET	50358	445	192.168.2.6	220.125.197.195
Jan 14, 2025 23:02:10.752873898 CET	50359	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.757674932 CET	445	50359	220.125.197.1	192.168.2.6
Jan 14, 2025 23:02:10.757744074 CET	50359	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.757744074 CET	50359	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.757855892 CET	445	50358	220.125.197.195	192.168.2.6
Jan 14, 2025 23:02:10.757909060 CET	50358	445	192.168.2.6	220.125.197.195
Jan 14, 2025 23:02:10.758012056 CET	50360	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.762782097 CET	445	50359	220.125.197.1	192.168.2.6
Jan 14, 2025 23:02:10.762816906 CET	445	50360	220.125.197.1	192.168.2.6
Jan 14, 2025 23:02:10.762842894 CET	50359	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.762886047 CET	50360	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.762907028 CET	50360	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:10.767821074 CET	445	50360	220.125.197.1	192.168.2.6
Jan 14, 2025 23:02:11.184956074 CET	50361	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:11.189932108 CET	445	50361	174.39.175.1	192.168.2.6
Jan 14, 2025 23:02:11.190036058 CET	50361	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:11.190071106 CET	50361	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:11.194865942 CET	445	50361	174.39.175.1	192.168.2.6
Jan 14, 2025 23:02:11.577094078 CET	50362	445	192.168.2.6	180.181.199.215
Jan 14, 2025 23:02:11.581871033 CET	445	50362	180.181.199.215	192.168.2.6
Jan 14, 2025 23:02:11.581959009 CET	50362	445	192.168.2.6	180.181.199.215
Jan 14, 2025 23:02:11.582067013 CET	50362	445	192.168.2.6	180.181.199.215
Jan 14, 2025 23:02:11.582262039 CET	50363	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.586879969 CET	445	50362	180.181.199.215	192.168.2.6
Jan 14, 2025 23:02:11.586946964 CET	50362	445	192.168.2.6	180.181.199.215
Jan 14, 2025 23:02:11.586992979 CET	445	50363	180.181.199.1	192.168.2.6
Jan 14, 2025 23:02:11.587055922 CET	50363	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.587100983 CET	50363	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.587373972 CET	50364	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.592144966 CET	445	50363	180.181.199.1	192.168.2.6
Jan 14, 2025 23:02:11.592158079 CET	445	50364	180.181.199.1	192.168.2.6
Jan 14, 2025 23:02:11.592210054 CET	50363	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.592241049 CET	50364	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.592282057 CET	50364	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:11.597016096 CET	445	50364	180.181.199.1	192.168.2.6
Jan 14, 2025 23:02:12.262608051 CET	445	50239	138.174.49.1	192.168.2.6
Jan 14, 2025 23:02:12.262726068 CET	50239	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:12.274511099 CET	50239	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:12.274555922 CET	50239	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:12.279354095 CET	445	50239	138.174.49.1	192.168.2.6
Jan 14, 2025 23:02:12.279366016 CET	445	50239	138.174.49.1	192.168.2.6
Jan 14, 2025 23:02:12.341556072 CET	50365	445	192.168.2.6	11.60.171.136
Jan 14, 2025 23:02:12.346330881 CET	445	50365	11.60.171.136	192.168.2.6
Jan 14, 2025 23:02:12.346395016 CET	50365	445	192.168.2.6	11.60.171.136
Jan 14, 2025 23:02:12.346411943 CET	50365	445	192.168.2.6	11.60.171.136
Jan 14, 2025 23:02:12.346532106 CET	50366	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.351247072 CET	445	50366	11.60.171.1	192.168.2.6
Jan 14, 2025 23:02:12.351325035 CET	50366	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.351345062 CET	50366	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.351512909 CET	445	50365	11.60.171.136	192.168.2.6
Jan 14, 2025 23:02:12.351557016 CET	50365	445	192.168.2.6	11.60.171.136
Jan 14, 2025 23:02:12.351855993 CET	50367	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.356287956 CET	445	50366	11.60.171.1	192.168.2.6
Jan 14, 2025 23:02:12.356334925 CET	50366	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.356661081 CET	445	50367	11.60.171.1	192.168.2.6
Jan 14, 2025 23:02:12.356724024 CET	50367	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.356746912 CET	50367	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:12.361526012 CET	445	50367	11.60.171.1	192.168.2.6
Jan 14, 2025 23:02:12.419615984 CET	445	50240	36.109.88.1	192.168.2.6
Jan 14, 2025 23:02:12.419678926 CET	50240	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:02:12.419745922 CET	50240	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:02:12.419780016 CET	50240	445	192.168.2.6	36.109.88.1
Jan 14, 2025 23:02:12.424474001 CET	445	50240	36.109.88.1	192.168.2.6
Jan 14, 2025 23:02:12.424582958 CET	445	50240	36.109.88.1	192.168.2.6
Jan 14, 2025 23:02:12.481800079 CET	50368	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.486658096 CET	445	50368	36.109.88.2	192.168.2.6
Jan 14, 2025 23:02:12.486743927 CET	50368	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.486805916 CET	50368	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.487117052 CET	50369	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.491671085 CET	445	50368	36.109.88.2	192.168.2.6
Jan 14, 2025 23:02:12.491734982 CET	50368	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.491916895 CET	445	50369	36.109.88.2	192.168.2.6
Jan 14, 2025 23:02:12.491988897 CET	50369	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.492033005 CET	50369	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:12.497776031 CET	445	50369	36.109.88.2	192.168.2.6
Jan 14, 2025 23:02:12.728250027 CET	445	50357	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:12.728440046 CET	50357	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:12.728440046 CET	50357	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:12.728440046 CET	50357	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:12.733417988 CET	445	50357	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:12.733428001 CET	445	50357	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:13.231789112 CET	50371	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:13.236633062 CET	445	50371	168.51.130.1	192.168.2.6
Jan 14, 2025 23:02:13.236731052 CET	50371	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:13.236767054 CET	50371	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:13.241628885 CET	445	50371	168.51.130.1	192.168.2.6
Jan 14, 2025 23:02:14.282720089 CET	445	50254	31.23.132.1	192.168.2.6
Jan 14, 2025 23:02:14.282852888 CET	50254	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:14.282852888 CET	50254	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:14.282896996 CET	50254	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:14.287909031 CET	445	50254	31.23.132.1	192.168.2.6
Jan 14, 2025 23:02:14.287941933 CET	445	50254	31.23.132.1	192.168.2.6
Jan 14, 2025 23:02:14.434916019 CET	445	50256	221.93.116.1	192.168.2.6
Jan 14, 2025 23:02:14.435100079 CET	50256	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:02:14.435100079 CET	50256	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:02:14.435162067 CET	50256	445	192.168.2.6	221.93.116.1
Jan 14, 2025 23:02:14.440037966 CET	445	50256	221.93.116.1	192.168.2.6
Jan 14, 2025 23:02:14.440068960 CET	445	50256	221.93.116.1	192.168.2.6
Jan 14, 2025 23:02:14.497756958 CET	50375	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.502655029 CET	445	50375	221.93.116.2	192.168.2.6
Jan 14, 2025 23:02:14.502742052 CET	50375	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.502878904 CET	50375	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.503160954 CET	50376	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.507805109 CET	445	50375	221.93.116.2	192.168.2.6
Jan 14, 2025 23:02:14.507868052 CET	50375	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.508013964 CET	445	50376	221.93.116.2	192.168.2.6
Jan 14, 2025 23:02:14.508073092 CET	50376	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.508105993 CET	50376	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:14.512944937 CET	445	50376	221.93.116.2	192.168.2.6
Jan 14, 2025 23:02:15.278888941 CET	50379	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:15.284717083 CET	445	50379	138.174.49.1	192.168.2.6
Jan 14, 2025 23:02:15.284842968 CET	50379	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:15.284888983 CET	50379	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:15.289729118 CET	445	50379	138.174.49.1	192.168.2.6
Jan 14, 2025 23:02:15.732090950 CET	50383	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:15.737179995 CET	445	50383	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:15.737643003 CET	50383	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:15.737643957 CET	50383	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:15.743588924 CET	445	50383	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:16.248127937 CET	445	50271	184.175.83.1	192.168.2.6
Jan 14, 2025 23:02:16.248253107 CET	50271	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:16.248316050 CET	50271	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:16.248363972 CET	50271	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:16.253222942 CET	445	50271	184.175.83.1	192.168.2.6
Jan 14, 2025 23:02:16.253254890 CET	445	50271	184.175.83.1	192.168.2.6
Jan 14, 2025 23:02:16.518949032 CET	445	50274	11.83.7.1	192.168.2.6
Jan 14, 2025 23:02:16.519283056 CET	50274	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:02:16.519283056 CET	50274	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:02:16.519336939 CET	50274	445	192.168.2.6	11.83.7.1
Jan 14, 2025 23:02:16.524406910 CET	445	50274	11.83.7.1	192.168.2.6
Jan 14, 2025 23:02:16.524451017 CET	445	50274	11.83.7.1	192.168.2.6
Jan 14, 2025 23:02:16.575988054 CET	50389	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.580949068 CET	445	50389	11.83.7.2	192.168.2.6
Jan 14, 2025 23:02:16.581049919 CET	50389	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.581091881 CET	50389	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.581429958 CET	50390	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.586263895 CET	445	50390	11.83.7.2	192.168.2.6
Jan 14, 2025 23:02:16.586334944 CET	50390	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.586360931 CET	50390	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.586543083 CET	445	50389	11.83.7.2	192.168.2.6
Jan 14, 2025 23:02:16.586734056 CET	445	50389	11.83.7.2	192.168.2.6
Jan 14, 2025 23:02:16.586791992 CET	50389	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:16.591228008 CET	445	50390	11.83.7.2	192.168.2.6
Jan 14, 2025 23:02:17.294514894 CET	50397	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:17.299421072 CET	445	50397	31.23.132.1	192.168.2.6
Jan 14, 2025 23:02:17.299534082 CET	50397	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:17.299534082 CET	50397	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:17.304313898 CET	445	50397	31.23.132.1	192.168.2.6
Jan 14, 2025 23:02:17.792998075 CET	445	50383	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:17.793195963 CET	50383	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:17.793299913 CET	50383	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:17.793354988 CET	50383	445	192.168.2.6	118.161.193.2
Jan 14, 2025 23:02:17.798032045 CET	445	50383	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:17.798084974 CET	445	50383	118.161.193.2	192.168.2.6
Jan 14, 2025 23:02:17.857270956 CET	50404	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.862185001 CET	445	50404	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:17.862303019 CET	50404	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.862303019 CET	50404	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.862723112 CET	50405	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.867552042 CET	445	50404	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:17.867563963 CET	445	50405	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:17.867640018 CET	50405	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.867667913 CET	50404	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.867686033 CET	50405	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:17.872471094 CET	445	50405	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:18.122220039 CET	445	50287	22.174.74.1	192.168.2.6
Jan 14, 2025 23:02:18.122505903 CET	50287	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:18.122507095 CET	50287	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:18.122550011 CET	50287	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:18.127890110 CET	445	50287	22.174.74.1	192.168.2.6
Jan 14, 2025 23:02:18.127934933 CET	445	50287	22.174.74.1	192.168.2.6
Jan 14, 2025 23:02:18.466804028 CET	445	50289	116.235.7.1	192.168.2.6
Jan 14, 2025 23:02:18.466921091 CET	50289	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:02:18.470756054 CET	50289	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:02:18.470792055 CET	50289	445	192.168.2.6	116.235.7.1
Jan 14, 2025 23:02:18.475652933 CET	445	50289	116.235.7.1	192.168.2.6
Jan 14, 2025 23:02:18.475687027 CET	445	50289	116.235.7.1	192.168.2.6
Jan 14, 2025 23:02:18.529746056 CET	50413	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.534857035 CET	445	50413	116.235.7.2	192.168.2.6
Jan 14, 2025 23:02:18.535173893 CET	50413	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.535175085 CET	50413	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.535767078 CET	50414	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.540771961 CET	445	50413	116.235.7.2	192.168.2.6
Jan 14, 2025 23:02:18.540823936 CET	445	50414	116.235.7.2	192.168.2.6
Jan 14, 2025 23:02:18.540916920 CET	50414	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.540963888 CET	50414	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.540999889 CET	50413	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:18.545805931 CET	445	50414	116.235.7.2	192.168.2.6
Jan 14, 2025 23:02:19.263250113 CET	50424	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:19.268183947 CET	445	50424	184.175.83.1	192.168.2.6
Jan 14, 2025 23:02:19.268294096 CET	50424	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:19.268336058 CET	50424	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:19.273108006 CET	445	50424	184.175.83.1	192.168.2.6
Jan 14, 2025 23:02:19.908272982 CET	445	50405	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:19.908377886 CET	50405	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:19.908431053 CET	50405	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:19.908464909 CET	50405	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:19.913322926 CET	445	50405	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:19.913379908 CET	445	50405	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:20.419550896 CET	445	50308	7.123.157.1	192.168.2.6
Jan 14, 2025 23:02:20.419707060 CET	50308	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:02:20.419708014 CET	50308	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:02:20.419708014 CET	50308	445	192.168.2.6	7.123.157.1
Jan 14, 2025 23:02:20.424895048 CET	445	50308	7.123.157.1	192.168.2.6
Jan 14, 2025 23:02:20.424938917 CET	445	50308	7.123.157.1	192.168.2.6
Jan 14, 2025 23:02:20.482187033 CET	50446	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.487315893 CET	445	50446	7.123.157.2	192.168.2.6
Jan 14, 2025 23:02:20.487417936 CET	50446	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.487731934 CET	50447	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.487735033 CET	50446	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.493026018 CET	445	50447	7.123.157.2	192.168.2.6
Jan 14, 2025 23:02:20.493056059 CET	445	50446	7.123.157.2	192.168.2.6
Jan 14, 2025 23:02:20.493103027 CET	50447	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.493132114 CET	50446	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.493176937 CET	50447	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:20.498413086 CET	445	50447	7.123.157.2	192.168.2.6
Jan 14, 2025 23:02:21.138246059 CET	50464	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:21.143553972 CET	445	50464	22.174.74.1	192.168.2.6
Jan 14, 2025 23:02:21.143671036 CET	50464	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:21.143712997 CET	50464	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:21.148927927 CET	445	50464	22.174.74.1	192.168.2.6
Jan 14, 2025 23:02:21.195961952 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:21.195997000 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:21.196074009 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:21.196630001 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:21.196643114 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:21.532640934 CET	445	50316	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:21.532777071 CET	50316	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:21.532777071 CET	50316	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:21.532918930 CET	50316	445	192.168.2.6	190.125.139.1
Jan 14, 2025 23:02:21.537688017 CET	445	50316	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:21.537720919 CET	445	50316	190.125.139.1	192.168.2.6
Jan 14, 2025 23:02:21.995744944 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:21.995826960 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:21.997625113 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:21.997632027 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:21.998398066 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:22.000029087 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:22.000173092 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:22.000176907 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:22.000288010 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:22.047324896 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:22.202513933 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:22.202728987 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:22.202790976 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:22.202965975 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:22.202981949 CET	443	50465	40.113.103.199	192.168.2.6
Jan 14, 2025 23:02:22.202991009 CET	50465	443	192.168.2.6	40.113.103.199
Jan 14, 2025 23:02:22.435079098 CET	445	50319	180.1.23.1	192.168.2.6
Jan 14, 2025 23:02:22.435221910 CET	50319	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:02:22.435362101 CET	50319	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:02:22.435362101 CET	50319	445	192.168.2.6	180.1.23.1
Jan 14, 2025 23:02:22.440179110 CET	445	50319	180.1.23.1	192.168.2.6
Jan 14, 2025 23:02:22.440232038 CET	445	50319	180.1.23.1	192.168.2.6
Jan 14, 2025 23:02:22.497868061 CET	50503	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.503186941 CET	445	50503	180.1.23.2	192.168.2.6
Jan 14, 2025 23:02:22.503288031 CET	50503	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.503355026 CET	50503	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.503530979 CET	50505	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.508958101 CET	445	50505	180.1.23.2	192.168.2.6
Jan 14, 2025 23:02:22.508991003 CET	445	50503	180.1.23.2	192.168.2.6
Jan 14, 2025 23:02:22.509042025 CET	50505	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.509061098 CET	50505	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.509120941 CET	50503	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:22.566678047 CET	445	50505	180.1.23.2	192.168.2.6
Jan 14, 2025 23:02:22.919666052 CET	50523	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:22.924715996 CET	445	50523	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:22.924825907 CET	50523	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:22.924854040 CET	50523	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:22.929698944 CET	445	50523	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:23.091831923 CET	445	50322	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:23.093301058 CET	50322	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:23.093301058 CET	50322	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:23.093301058 CET	50322	445	192.168.2.6	12.2.240.1
Jan 14, 2025 23:02:23.098356009 CET	445	50322	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:23.098555088 CET	445	50322	12.2.240.1	192.168.2.6
Jan 14, 2025 23:02:24.545027018 CET	445	50324	219.163.9.1	192.168.2.6
Jan 14, 2025 23:02:24.545109034 CET	50324	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:24.560220003 CET	445	50326	170.88.223.1	192.168.2.6
Jan 14, 2025 23:02:24.560293913 CET	50326	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:25.016397953 CET	445	50523	118.161.193.3	192.168.2.6
Jan 14, 2025 23:02:25.016483068 CET	50523	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:25.231556892 CET	50390	445	192.168.2.6	11.83.7.2
Jan 14, 2025 23:02:25.231640100 CET	50348	445	192.168.2.6	17.84.70.2
Jan 14, 2025 23:02:25.231681108 CET	50369	445	192.168.2.6	36.109.88.2
Jan 14, 2025 23:02:25.231709957 CET	50379	445	192.168.2.6	138.174.49.1
Jan 14, 2025 23:02:25.231775045 CET	50338	445	192.168.2.6	100.32.218.2
Jan 14, 2025 23:02:25.231839895 CET	50326	445	192.168.2.6	170.88.223.1
Jan 14, 2025 23:02:25.231889963 CET	50333	445	192.168.2.6	62.43.202.2
Jan 14, 2025 23:02:25.231915951 CET	50331	445	192.168.2.6	2.141.195.1
Jan 14, 2025 23:02:25.231919050 CET	50324	445	192.168.2.6	219.163.9.1
Jan 14, 2025 23:02:25.231919050 CET	50330	445	192.168.2.6	137.206.81.1
Jan 14, 2025 23:02:25.231952906 CET	50336	445	192.168.2.6	184.207.137.1
Jan 14, 2025 23:02:25.232089043 CET	50342	445	192.168.2.6	35.223.142.1
Jan 14, 2025 23:02:25.232122898 CET	50346	445	192.168.2.6	104.53.109.1
Jan 14, 2025 23:02:25.232156038 CET	50351	445	192.168.2.6	60.78.186.1
Jan 14, 2025 23:02:25.232172966 CET	50341	445	192.168.2.6	53.26.1.1
Jan 14, 2025 23:02:25.232217073 CET	50352	445	192.168.2.6	178.158.238.1
Jan 14, 2025 23:02:25.232243061 CET	50355	445	192.168.2.6	126.128.51.1
Jan 14, 2025 23:02:25.232290030 CET	50360	445	192.168.2.6	220.125.197.1
Jan 14, 2025 23:02:25.232323885 CET	50361	445	192.168.2.6	174.39.175.1
Jan 14, 2025 23:02:25.232362032 CET	50364	445	192.168.2.6	180.181.199.1
Jan 14, 2025 23:02:25.232395887 CET	50367	445	192.168.2.6	11.60.171.1
Jan 14, 2025 23:02:25.232516050 CET	50371	445	192.168.2.6	168.51.130.1
Jan 14, 2025 23:02:25.232543945 CET	50424	445	192.168.2.6	184.175.83.1
Jan 14, 2025 23:02:25.232583046 CET	50376	445	192.168.2.6	221.93.116.2
Jan 14, 2025 23:02:25.232608080 CET	50397	445	192.168.2.6	31.23.132.1
Jan 14, 2025 23:02:25.232655048 CET	50414	445	192.168.2.6	116.235.7.2
Jan 14, 2025 23:02:25.232714891 CET	50447	445	192.168.2.6	7.123.157.2
Jan 14, 2025 23:02:25.232790947 CET	50464	445	192.168.2.6	22.174.74.1
Jan 14, 2025 23:02:25.232867956 CET	50523	445	192.168.2.6	118.161.193.3
Jan 14, 2025 23:02:25.232974052 CET	50505	445	192.168.2.6	180.1.23.2
Jan 14, 2025 23:02:49.498601913 CET	49705	443	192.168.2.6	20.190.160.20
Jan 14, 2025 23:02:49.503750086 CET	443	49705	20.190.160.20	192.168.2.6
Jan 14, 2025 23:02:49.503802061 CET	49705	443	192.168.2.6	20.190.160.20
Jan 14, 2025 23:02:49.514132977 CET	49708	80	192.168.2.6	2.23.77.188
Jan 14, 2025 23:02:49.514219999 CET	49706	80	192.168.2.6	2.16.168.117
Jan 14, 2025 23:02:49.519141912 CET	80	49708	2.23.77.188	192.168.2.6
Jan 14, 2025 23:02:49.519192934 CET	49708	80	192.168.2.6	2.23.77.188
Jan 14, 2025 23:02:49.519387007 CET	80	49706	2.16.168.117	192.168.2.6
Jan 14, 2025 23:02:49.519429922 CET	49706	80	192.168.2.6	2.16.168.117
Jan 14, 2025 23:02:51.419711113 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:51.419744015 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:51.419827938 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:51.420591116 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:51.420603037 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.124006033 CET	49709	443	192.168.2.6	20.190.160.20
Jan 14, 2025 23:02:52.129138947 CET	443	49709	20.190.160.20	192.168.2.6
Jan 14, 2025 23:02:52.129267931 CET	49709	443	192.168.2.6	20.190.160.20
Jan 14, 2025 23:02:52.342192888 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.342274904 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.344057083 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.344069004 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.344399929 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.345844030 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.345891953 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.345897913 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.346019983 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.387336016 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.516551018 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.516791105 CET	443	50631	40.115.3.253	192.168.2.6
Jan 14, 2025 23:02:52.516885996 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.517009974 CET	50631	443	192.168.2.6	40.115.3.253
Jan 14, 2025 23:02:52.517036915 CET	443	50631	40.115.3.253	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:01:16.778050900 CET	60950	53	192.168.2.6	1.1.1.1
Jan 14, 2025 23:01:17.083368063 CET	53	60950	1.1.1.1	192.168.2.6
Jan 14, 2025 23:01:17.795337915 CET	63335	53	192.168.2.6	1.1.1.1
Jan 14, 2025 23:01:18.271476984 CET	53	63335	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 23:01:16.778050900 CET	192.168.2.6	1.1.1.1	0xa8bd	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:01:17.795337915 CET	192.168.2.6	1.1.1.1	0x757f	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 23:01:17.083368063 CET	1.1.1.1	192.168.2.6	0xa8bd	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:01:18.271476984 CET	1.1.1.1	192.168.2.6	0x757f	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 23:01:18.271476984 CET	1.1.1.1	192.168.2.6	0x757f	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	103.224.212.215	80	5176	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:17.102667093 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:01:17.741022110 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:17 GMT server: Apache set-cookie: __tad=1736892077.4548076; expires=Fri, 12-Jan-2035 22:01:17 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d3b content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49729	199.59.243.228	80	5176	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:18.277554989 CET	169	OUT	GET /?subid1=20250115-0901-17da-b5df-943a25f69d3b HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:01:18.813663006 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:18 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 2180f6aa-a9f1-43cb-a970-295989c970d8 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hyhOuy8FH9Gv+EF6ykrtIeqkVMwnIyfJ5vPxUoH6RP7GDUaqaGSLVV7Z3CwL5UX0lFLhdp40145Femil0aAggw== set-cookie: parking_session=2180f6aa-a9f1-43cb-a970-295989c970d8; expires=Tue, 14 Jan 2025 22:16:18 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 79 68 4f 75 79 38 46 48 39 47 76 2b 45 46 36 79 6b 72 74 49 65 71 6b 56 4d 77 6e 49 79 66 4a 35 76 50 78 55 6f 48 36 52 50 37 47 44 55 61 71 61 47 53 4c 56 56 37 5a 33 43 77 4c 35 55 58 30 6c 46 4c 68 64 70 34 30 31 34 35 46 65 6d 69 6c 30 61 41 67 67 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hyhOuy8FH9Gv+EF6ykrtIeqkVMwnIyfJ5vPxUoH6RP7GDUaqaGSLVV7Z3CwL5UX0lFLhdp40145Femil0aAggw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:01:18.813677073 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjE4MGY2YWEtYTlmMS00M2NiLWE5NzAtMjk1OTg5Yzk3MGQ4IiwicGFnZV90aW1lIjoxNzM2ODkyMDc4LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49735	103.224.212.215	80	3384	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:18.961429119 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:01:19.676537991 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:19 GMT server: Apache set-cookie: __tad=1736892079.6768686; expires=Fri, 12-Jan-2035 22:01:19 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc09356b content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49736	103.224.212.215	80	1596	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:19.086731911 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736892077.4548076
Jan 14, 2025 23:01:19.749943972 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:19 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc542911 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49742	199.59.243.228	80	3384	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:19.685148001 CET	169	OUT	GET /?subid1=20250115-0901-196b-89df-b6fadc09356b HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:01:20.159326077 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:19 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 3a716521-1edf-4a54-8f92-94322b0a1e43 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cP/ARt8bLUQkNCkA/GuMZQl2kibAXZoNfE2JIRVUOHaTjc9Ch6tlO9a/RjF9uXSbIc4YucIqf/w7gFXpdQC/Ig== set-cookie: parking_session=3a716521-1edf-4a54-8f92-94322b0a1e43; expires=Tue, 14 Jan 2025 22:16:20 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 50 2f 41 52 74 38 62 4c 55 51 6b 4e 43 6b 41 2f 47 75 4d 5a 51 6c 32 6b 69 62 41 58 5a 6f 4e 66 45 32 4a 49 52 56 55 4f 48 61 54 6a 63 39 43 68 36 74 6c 4f 39 61 2f 52 6a 46 39 75 58 53 62 49 63 34 59 75 63 49 71 66 2f 77 37 67 46 58 70 64 51 43 2f 49 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cP/ARt8bLUQkNCkA/GuMZQl2kibAXZoNfE2JIRVUOHaTjc9Ch6tlO9a/RjF9uXSbIc4YucIqf/w7gFXpdQC/Ig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:01:20.159383059 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2E3MTY1MjEtMWVkZi00YTU0LThmOTItOTQzMjJiMGExZTQzIiwicGFnZV90aW1lIjoxNzM2ODkyMDgwLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49743	199.59.243.228	80	1596	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:19.762582064 CET	231	OUT	GET /?subid1=20250115-0901-1940-a434-b2c2dc542911 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=2180f6aa-a9f1-43cb-a970-295989c970d8
Jan 14, 2025 23:01:20.218041897 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:19 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 1e5fd563-7434-4be9-9078-85578261bcf8 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rwuSbTGmzLVBOkVi4qtf2H+PPJOZx4HXOvYuQoKYzvn7LX1ENFqL/JvWcZ9b+9gEklbJIotIv3aDDavY8hdWAw== set-cookie: parking_session=2180f6aa-a9f1-43cb-a970-295989c970d8; expires=Tue, 14 Jan 2025 22:16:20 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 77 75 53 62 54 47 6d 7a 4c 56 42 4f 6b 56 69 34 71 74 66 32 48 2b 50 50 4a 4f 5a 78 34 48 58 4f 76 59 75 51 6f 4b 59 7a 76 6e 37 4c 58 31 45 4e 46 71 4c 2f 4a 76 57 63 5a 39 62 2b 39 67 45 6b 6c 62 4a 49 6f 74 49 76 33 61 44 44 61 76 59 38 68 64 57 41 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rwuSbTGmzLVBOkVi4qtf2H+PPJOZx4HXOvYuQoKYzvn7LX1ENFqL/JvWcZ9b+9gEklbJIotIv3aDDavY8hdWAw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 23:01:20.218075037 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjE4MGY2YWEtYTlmMS00M2NiLWE5NzAtMjk1OTg5Yzk3MGQ4IiwicGFnZV90aW1lIjoxNzM2ODkyMDgwLCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49711	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 22:01:12 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 42 58 69 56 31 46 36 37 55 36 4c 67 78 2f 54 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 34 33 65 38 30 37 33 36 37 33 63 39 38 33 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: NBXiV1F67U6Lgx/T.1Context: e43e8073673c9835
2025-01-14 22:01:12 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 22:01:12 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 42 58 69 56 31 46 36 37 55 36 4c 67 78 2f 54 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 34 33 65 38 30 37 33 36 37 33 63 39 38 33 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 42 4d 68 58 76 62 4d 58 6b 72 35 53 78 4a 30 49 39 67 4e 6f 65 54 79 4f 49 46 72 2f 66 6b 4c 41 46 4f 38 76 30 69 53 45 49 52 66 33 4e 4f 46 45 46 4f 6f 43 45 52 66 79 35 65 51 58 63 75 4a 52 45 4a 63 47 63 4c 2b 63 4b 70 75 4a 35 44 6a 51 69 38 41 31 50 70 6d 4f 58 56 77 4b 62 72 74 65 56 50 77 73 38 6e 36 61 74 4d 2b 59 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: NBXiV1F67U6Lgx/T.2Context: e43e8073673c9835<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQBMhXvbMXkr5SxJ0I9gNoeTyOIFr/fkLAFO8v0iSEIRf3NOFEFOoCERfy5eQXcuJREJcGcL+cKpuJ5DjQi8A1PpmOXVwKbrteVPws8n6atM+Y
2025-01-14 22:01:12 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4e 42 58 69 56 31 46 36 37 55 36 4c 67 78 2f 54 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 34 33 65 38 30 37 33 36 37 33 63 39 38 33 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: NBXiV1F67U6Lgx/T.3Context: e43e8073673c9835<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 22:01:13 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 22:01:13 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 56 46 69 32 45 38 30 5a 53 45 36 55 47 6d 56 7a 35 6c 78 35 73 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: VFi2E80ZSE6UGmVz5lx5sw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49752	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 22:01:21 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 46 4b 45 72 56 47 6f 35 74 30 61 69 33 63 6e 6c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 66 61 32 39 64 34 36 62 35 31 37 62 38 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: FKErVGo5t0ai3cnl.1Context: 5ffa29d46b517b82
2025-01-14 22:01:21 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 22:01:21 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 46 4b 45 72 56 47 6f 35 74 30 61 69 33 63 6e 6c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 66 61 32 39 64 34 36 62 35 31 37 62 38 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 42 4d 68 58 76 62 4d 58 6b 72 35 53 78 4a 30 49 39 67 4e 6f 65 54 79 4f 49 46 72 2f 66 6b 4c 41 46 4f 38 76 30 69 53 45 49 52 66 33 4e 4f 46 45 46 4f 6f 43 45 52 66 79 35 65 51 58 63 75 4a 52 45 4a 63 47 63 4c 2b 63 4b 70 75 4a 35 44 6a 51 69 38 41 31 50 70 6d 4f 58 56 77 4b 62 72 74 65 56 50 77 73 38 6e 36 61 74 4d 2b 59 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: FKErVGo5t0ai3cnl.2Context: 5ffa29d46b517b82<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQBMhXvbMXkr5SxJ0I9gNoeTyOIFr/fkLAFO8v0iSEIRf3NOFEFOoCERfy5eQXcuJREJcGcL+cKpuJ5DjQi8A1PpmOXVwKbrteVPws8n6atM+Y
2025-01-14 22:01:21 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 46 4b 45 72 56 47 6f 35 74 30 61 69 33 63 6e 6c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 66 61 32 39 64 34 36 62 35 31 37 62 38 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: FKErVGo5t0ai3cnl.3Context: 5ffa29d46b517b82<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 22:01:21 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 22:01:21 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 49 46 74 65 45 78 48 32 62 6b 65 67 48 55 43 73 66 50 78 76 41 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: IFteExH2bkegHUCsfPxvAA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	49999	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 22:01:35 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6a 56 74 75 30 30 58 52 6c 6b 6d 49 46 75 62 71 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 63 34 36 37 34 36 31 65 62 38 31 38 32 65 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: jVtu00XRlkmIFubq.1Context: cc467461eb8182ec
2025-01-14 22:01:35 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 22:01:35 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6a 56 74 75 30 30 58 52 6c 6b 6d 49 46 75 62 71 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 63 34 36 37 34 36 31 65 62 38 31 38 32 65 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 42 4d 68 58 76 62 4d 58 6b 72 35 53 78 4a 30 49 39 67 4e 6f 65 54 79 4f 49 46 72 2f 66 6b 4c 41 46 4f 38 76 30 69 53 45 49 52 66 33 4e 4f 46 45 46 4f 6f 43 45 52 66 79 35 65 51 58 63 75 4a 52 45 4a 63 47 63 4c 2b 63 4b 70 75 4a 35 44 6a 51 69 38 41 31 50 70 6d 4f 58 56 77 4b 62 72 74 65 56 50 77 73 38 6e 36 61 74 4d 2b 59 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: jVtu00XRlkmIFubq.2Context: cc467461eb8182ec<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQBMhXvbMXkr5SxJ0I9gNoeTyOIFr/fkLAFO8v0iSEIRf3NOFEFOoCERfy5eQXcuJREJcGcL+cKpuJ5DjQi8A1PpmOXVwKbrteVPws8n6atM+Y
2025-01-14 22:01:35 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6a 56 74 75 30 30 58 52 6c 6b 6d 49 46 75 62 71 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 63 34 36 37 34 36 31 65 62 38 31 38 32 65 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: jVtu00XRlkmIFubq.3Context: cc467461eb8182ec<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 22:01:35 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 22:01:35 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 48 6c 42 66 7a 46 68 45 41 55 65 55 72 44 34 35 65 39 6c 6c 61 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: HlBfzFhEAUeUrD45e9llag.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50288	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 22:01:57 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 72 30 6f 63 30 6e 61 42 78 55 71 35 7a 6c 5a 35 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 61 33 33 38 61 38 38 34 61 39 34 32 63 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: r0oc0naBxUq5zlZ5.1Context: 5da338a884a942c6
2025-01-14 22:01:57 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 22:01:57 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 72 30 6f 63 30 6e 61 42 78 55 71 35 7a 6c 5a 35 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 61 33 33 38 61 38 38 34 61 39 34 32 63 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 42 4d 68 58 76 62 4d 58 6b 72 35 53 78 4a 30 49 39 67 4e 6f 65 54 79 4f 49 46 72 2f 66 6b 4c 41 46 4f 38 76 30 69 53 45 49 52 66 33 4e 4f 46 45 46 4f 6f 43 45 52 66 79 35 65 51 58 63 75 4a 52 45 4a 63 47 63 4c 2b 63 4b 70 75 4a 35 44 6a 51 69 38 41 31 50 70 6d 4f 58 56 77 4b 62 72 74 65 56 50 77 73 38 6e 36 61 74 4d 2b 59 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: r0oc0naBxUq5zlZ5.2Context: 5da338a884a942c6<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQBMhXvbMXkr5SxJ0I9gNoeTyOIFr/fkLAFO8v0iSEIRf3NOFEFOoCERfy5eQXcuJREJcGcL+cKpuJ5DjQi8A1PpmOXVwKbrteVPws8n6atM+Y
2025-01-14 22:01:57 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 72 30 6f 63 30 6e 61 42 78 55 71 35 7a 6c 5a 35 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 61 33 33 38 61 38 38 34 61 39 34 32 63 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: r0oc0naBxUq5zlZ5.3Context: 5da338a884a942c6<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 22:01:57 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 22:01:57 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 48 34 61 65 77 76 76 30 2f 45 69 77 74 55 44 6a 45 56 35 6a 45 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: H4aewvv0/EiwtUDjEV5jEA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50465	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 22:02:21 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 70 37 62 58 4b 55 54 47 61 6b 69 2f 35 4e 66 51 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 63 63 35 32 63 32 36 35 31 34 65 66 66 36 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: p7bXKUTGaki/5NfQ.1Context: 7cc52c26514eff64
2025-01-14 22:02:21 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 22:02:21 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 70 37 62 58 4b 55 54 47 61 6b 69 2f 35 4e 66 51 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 63 63 35 32 63 32 36 35 31 34 65 66 66 36 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 42 4d 68 58 76 62 4d 58 6b 72 35 53 78 4a 30 49 39 67 4e 6f 65 54 79 4f 49 46 72 2f 66 6b 4c 41 46 4f 38 76 30 69 53 45 49 52 66 33 4e 4f 46 45 46 4f 6f 43 45 52 66 79 35 65 51 58 63 75 4a 52 45 4a 63 47 63 4c 2b 63 4b 70 75 4a 35 44 6a 51 69 38 41 31 50 70 6d 4f 58 56 77 4b 62 72 74 65 56 50 77 73 38 6e 36 61 74 4d 2b 59 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: p7bXKUTGaki/5NfQ.2Context: 7cc52c26514eff64<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQBMhXvbMXkr5SxJ0I9gNoeTyOIFr/fkLAFO8v0iSEIRf3NOFEFOoCERfy5eQXcuJREJcGcL+cKpuJ5DjQi8A1PpmOXVwKbrteVPws8n6atM+Y
2025-01-14 22:02:21 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 70 37 62 58 4b 55 54 47 61 6b 69 2f 35 4e 66 51 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 63 63 35 32 63 32 36 35 31 34 65 66 66 36 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: p7bXKUTGaki/5NfQ.3Context: 7cc52c26514eff64<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 22:02:22 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 22:02:22 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 74 4b 4a 39 38 72 4c 4b 37 30 6d 32 35 59 57 55 41 62 54 74 4c 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: tKJ98rLK70m25YWUAbTtLg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50631	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 22:02:52 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 47 42 55 78 42 41 4a 53 58 6b 69 2b 70 34 71 76 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 32 61 66 35 31 39 61 33 63 66 66 62 30 39 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: GBUxBAJSXki+p4qv.1Context: 92af519a3cffb09c
2025-01-14 22:02:52 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 22:02:52 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 47 42 55 78 42 41 4a 53 58 6b 69 2b 70 34 71 76 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 32 61 66 35 31 39 61 33 63 66 66 62 30 39 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 42 4d 68 58 76 62 4d 58 6b 72 35 53 78 4a 30 49 39 67 4e 6f 65 54 79 4f 49 46 72 2f 66 6b 4c 41 46 4f 38 76 30 69 53 45 49 52 66 33 4e 4f 46 45 46 4f 6f 43 45 52 66 79 35 65 51 58 63 75 4a 52 45 4a 63 47 63 4c 2b 63 4b 70 75 4a 35 44 6a 51 69 38 41 31 50 70 6d 4f 58 56 77 4b 62 72 74 65 56 50 77 73 38 6e 36 61 74 4d 2b 59 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: GBUxBAJSXki+p4qv.2Context: 92af519a3cffb09c<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQBMhXvbMXkr5SxJ0I9gNoeTyOIFr/fkLAFO8v0iSEIRf3NOFEFOoCERfy5eQXcuJREJcGcL+cKpuJ5DjQi8A1PpmOXVwKbrteVPws8n6atM+Y
2025-01-14 22:02:52 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 47 42 55 78 42 41 4a 53 58 6b 69 2b 70 34 71 76 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 32 61 66 35 31 39 61 33 63 66 66 62 30 39 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: GBUxBAJSXki+p4qv.3Context: 92af519a3cffb09c<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 22:02:52 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 22:02:52 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 69 41 4c 77 54 4d 41 6b 77 6b 36 2f 44 73 41 38 75 37 57 65 6b 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: iALwTMAkwk6/DsA8u7Wekg.0Payload parsing failed.

Target ID:	0
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll"
Imagebase:	0x380000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\04Ct9PoJrL.dll,PlayGame
Imagebase:	0x990000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",#1
Imagebase:	0x990000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:01:14
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	DDC00ED41F44D1047F3D34DC3B6D6A47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2200798894.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:01:17
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	DDC00ED41F44D1047F3D34DC3B6D6A47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2227545869.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2881995762.0000000002284000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2881728256.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:01:17
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\04Ct9PoJrL.dll",PlayGame
Imagebase:	0x990000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:01:17
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	DDC00ED41F44D1047F3D34DC3B6D6A47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2245265160.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2228574250.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	65.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	8

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNEL32(00000000), ref: 00407E68
CreateProcessA.KERNEL32 ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000006.00000002.2244672985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2244628091.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244705333.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244823436.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2244672985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2244628091.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244705333.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244823436.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2244672985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2244628091.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244705333.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244823436.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2244672985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2244628091.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244705333.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244823436.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2244672985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2244628091.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244705333.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244823436.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2244934192.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 3384, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2880842049.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2880826710.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880857426.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880924571.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880940017.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2880842049.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2880826710.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880857426.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880924571.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880940017.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2880842049.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2880826710.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880857426.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880924571.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880940017.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000008.00000002.2880842049.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2880826710.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880857426.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880924571.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880940017.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2880842049.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2880826710.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880857426.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880871750.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880924571.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2880940017.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2881029500.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc5429	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc09356b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc542911	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d3b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc0935	Avira URL Cloud: Label: malware

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-17da-b5df-943a25f69d3b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736892077.4548076
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-196b-89df-b6fadc09356b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-1940-a434-b2c2dc542911 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=2180f6aa-a9f1-43cb-a970-295989c970d8

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49735 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49723 -> 103.224.212.215:80

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50288 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50465 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50631 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.32.218.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.73
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.73
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.73
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.73
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1
Source: unknown	TCP traffic detected without corresponding DNS query: 17.84.70.1

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2245439080.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.2245439080.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-17da-b5df-943a25f69d
Source: mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-1940-a434-b2c2dc5429
Source: mssecsvr.exe, 00000008.00000002.2881281855.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2244826751.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-196b-89df-b6fadc0935
Source: 04Ct9PoJrL.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2245439080.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2245439080.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/-
Source: mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A-
Source: mssecsvr.exe, 00000006.00000002.2245439080.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L
Source: mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/M
Source: mssecsvr.exe, 0000000A.00000002.2245851204.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/N
Source: mssecsvr.exe, 00000008.00000002.2881281855.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/k
Source: mssecsvr.exe, 00000008.00000002.2880792537.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50465 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50465
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 50631 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50631
Source: unknown	Network traffic detected: HTTP traffic on port 50288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999

Source: Yara match	File source: 04Ct9PoJrL.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5e104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2284948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22758c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5e104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2284948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.22808e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1d5a0a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2200798894.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2245265160.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2228574250.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2227545869.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2880909986.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2244750800.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2881995762.0000000002284000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2881728256.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 1596, type: MEMORYSTR

Source: 04Ct9PoJrL.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22758c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4f084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5e104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5e104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2284948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2284948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.22758c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22758c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d5e104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2284948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22808e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5a0a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe			Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: 04Ct9PoJrL.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22758c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4f084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5e104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5e104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2284948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2284948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.22758c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22758c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4f084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d5e104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2284948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22808e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5a0a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T

Source: tasksche.exe.10.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.10.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.10.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 04Ct9PoJrL.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
04Ct9PoJrL.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre