Edit tour

Windows Analysis Report
sLlAsC4I5r.dll

Overview

General Information

Sample name:	sLlAsC4I5r.dll renamed because original name is a hash value
Original sample name:	c04e6ce0dafa8fd0c005f90f997083d1.dll
Analysis ID:	1591379
MD5:	c04e6ce0dafa8fd0c005f90f997083d1
SHA1:	3a490c08092a8e5b7ddaff52a30a64d5e873b9f3
SHA256:	114cb2b71e51f0a881dd301a9be2af57c5c4cf50ee59c1c19274b85c7be8b0f8
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7424 cmdline: loaddll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7476 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7484 cmdline: rundll32.exe C:\Users\user\Desktop\sLlAsC4I5r.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7532 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 7FB008D5D5B7287BE887984844A4AC41)

rundll32.exe (PID: 7716 cmdline: rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7732 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 7FB008D5D5B7287BE887984844A4AC41)

mssecsvr.exe (PID: 7648 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 7FB008D5D5B7287BE887984844A4AC41)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sLlAsC4I5r.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
sLlAsC4I5r.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1378591463.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1336491510.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.1365489627.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.1357140442.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2015410106.000000000227D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2015123751.0000000001D59000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7532	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7648	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7732	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvr.exe.226e8c8.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d4a084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d4a084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d4a084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d4a084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.227d948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227d948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.227d948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.226e8c8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.226e8c8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.226e8c8.6.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d59104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d59104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d59104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.227d948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227d948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d59104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d59104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x50c9d4:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d550a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d550a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.22798e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22798e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
Click to see the 35 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:01:22.671123+0100	2803304	3	Unknown Traffic	192.168.2.7	49705	103.224.212.215	80	TCP
2025-01-14T23:01:25.242495+0100	2803304	3	Unknown Traffic	192.168.2.7	49713	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T23:01:21.914965+0100	2830018	1	A Network Trojan was detected	192.168.2.7	55123	1.1.1.1	53	UDP

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03

Source: sLlAsC4I5r.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sLlAsC4I5r.dll,PlayGame

Source: sLlAsC4I5r.dll	Virustotal: Detection: 94%
Source: sLlAsC4I5r.dll	ReversingLabs: Detection: 90%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sLlAsC4I5r.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sLlAsC4I5r.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: sLlAsC4I5r.dll

Static file information: File size 5267459 > 1048576

Source: sLlAsC4I5r.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.59119556320733

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 7776	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7776	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7780	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7780	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7776	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000006.00000002.1377577741.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP2
Source: mssecsvr.exe, 00000006.00000002.1377577741.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2014635150.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`1

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1

Jump to behavior

Source: mssecsvr.exe, 00000006.00000002.1377366936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000007.00000002.2014362748.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000007.00000002.2015410106.000000000227D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2015123751.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000000.1365580183.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe.6.dr

Binary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sLlAsC4I5r.dll	94%	Virustotal		Browse
sLlAsC4I5r.dll	90%	ReversingLabs	Win32.Ransomware.WannaCry
sLlAsC4I5r.dll	100%	Avira	TR/AD.DPulsarShellcode.gohtr
sLlAsC4I5r.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	79%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	79%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c2	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f19b	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f1	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comr	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/S	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b4	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b467	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c202	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f19b	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b467	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c202	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L	mssecsvr.exe, 00000006.00000002.1377577741.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c2	mssecsvr.exe, 00000006.00000002.1377577741.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1377577741.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1377577741.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.1377577741.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	sLlAsC4I5r.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f1	mssecsvr.exe, 00000007.00000002.2014635150.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B	mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comr	mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/S	mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2	mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r	mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22	mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b4	mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000003.1377483851.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000007.00000002.2014062047.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/6L	mssecsvr.exe, 00000009.00000002.1379157550.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com#	mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2	mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
63.48.67.31	unknown	United States	701	UUNETUS	false
126.112.145.183	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
109.143.164.166	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
58.100.254.22	unknown	China	24139	WASUHZHuashumediaNetworkLimitedCN	false
152.147.57.1	unknown	Australia	6400	CompaniaDominicanadeTelefonosSADO	false
132.251.70.33	unknown	Peru	21575	ENTELPERUSAPE	false
130.184.107.1	unknown	United States	10508	UARK-FAYETTEVILLEUS	false
182.19.215.1	unknown	Singapore	55430	STARHUB-NGNBNStarhubLtdSG	false
140.192.249.69	unknown	United States	20130	DEPAULUS	false
109.143.164.1	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
79.169.8.2	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
79.169.8.1	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
39.80.197.203	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
130.184.107.238	unknown	United States	10508	UARK-FAYETTEVILLEUS	false
141.193.184.54	unknown	United States	53292	MWAYUS	false
67.118.253.243	unknown	United States	11191	F2W-ASUS	false
99.232.202.235	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
219.56.238.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
59.130.120.1	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
59.130.120.2	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
148.67.37.1	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
102.252.16.166	unknown	South Africa	5713	SAIX-NETZA	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591379
Start date and time:	2025-01-14 23:00:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sLlAsC4I5r.dll renamed because original name is a hash value
Original Sample Name:	c04e6ce0dafa8fd0c005f90f997083d1.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:01:23	API Interceptor	1x Sleep call for process: loaddll32.exe modified
17:01:59	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UUNETUS	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	63.93.143.167
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	68.135.139.2
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	158.225.208.1
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	208.220.165.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	100.58.154.124
	ppc.elf	Get hash	malicious	Unknown	Browse	63.91.99.74
	m68k.elf	Get hash	malicious	Unknown	Browse	65.217.125.113
	i686.elf	Get hash	malicious	Unknown	Browse	149.228.78.158
	x86.elf	Get hash	malicious	Unknown	Browse	141.158.117.223
	arm5.elf	Get hash	malicious	Unknown	Browse	71.191.111.230
PROXIMUS-ISP-ASBE	elitebotnet.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	91.180.223.136
	elitebotnet.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	195.95.97.233
	5.elf	Get hash	malicious	Unknown	Browse	178.144.195.45
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	109.139.205.171
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	91.178.113.202
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	91.178.113.245
	frosty.sh4.elf	Get hash	malicious	Mirai	Browse	109.142.52.124
	armv5l.elf	Get hash	malicious	Unknown	Browse	87.65.230.219
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	81.241.209.204
	sora.mips.elf	Get hash	malicious	Unknown	Browse	109.129.79.181
WASUHZHuashumediaNetworkLimitedCN	6.elf	Get hash	malicious	Unknown	Browse	219.82.255.174
	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	218.108.134.37
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	58.101.152.91
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	58.101.164.88
	armv5l.elf	Get hash	malicious	Unknown	Browse	58.100.157.67
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	125.210.206.59
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	219.82.120.197
	nshkmips.elf	Get hash	malicious	Mirai	Browse	218.108.109.69
	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	218.108.210.197
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	58.101.176.50
GIGAINFRASoftbankBBCorpJP	YZJG8NuHEP.dll	Get hash	malicious	Wannacry	Browse	126.46.181.1
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	126.147.175.1
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	126.245.156.111
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	126.245.102.34
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	219.174.245.132
	meth10.elf	Get hash	malicious	Mirai	Browse	60.132.41.97
	meth3.elf	Get hash	malicious	Mirai	Browse	219.40.50.142
	meth8.elf	Get hash	malicious	Mirai	Browse	219.206.176.119
	arm4.elf	Get hash	malicious	Unknown	Browse	60.131.121.59
	ppc.elf	Get hash	malicious	Unknown	Browse	126.220.122.94

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.782759060913005
Encrypted:	false
SSDEEP:	49152:EMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAW:EPoBhz1aRxcSUDk36SAp
MD5:	A72619A92308E5B344215B724D6405F9
SHA1:	AF73E64DB5D0DB431C35E7900D07E1A3B5AC44F8
SHA-256:	34DC95C4E0FE17326D252CBB0146FD4C10CB5D565C2E4B3998CC39187997CFEF
SHA-512:	B8185016742CCBB76A599126F151F4ECD6F537BB5936063A85BDE9C276FE32C23017787B5730E63A9CD9994E71063310FF7D87965A2A4C6A7F5DECD9F61013F4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.782759060913005
Encrypted:	false
SSDEEP:	49152:EMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAW:EPoBhz1aRxcSUDk36SAp
MD5:	A72619A92308E5B344215B724D6405F9
SHA1:	AF73E64DB5D0DB431C35E7900D07E1A3B5AC44F8
SHA-256:	34DC95C4E0FE17326D252CBB0146FD4C10CB5D565C2E4B3998CC39187997CFEF
SHA-512:	B8185016742CCBB76A599126F151F4ECD6F537BB5936063A85BDE9C276FE32C23017787B5730E63A9CD9994E71063310FF7D87965A2A4C6A7F5DECD9F61013F4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.104093182393967
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sLlAsC4I5r.dll
File size:	5'267'459 bytes
MD5:	c04e6ce0dafa8fd0c005f90f997083d1
SHA1:	3a490c08092a8e5b7ddaff52a30a64d5e873b9f3
SHA256:	114cb2b71e51f0a881dd301a9be2af57c5c4cf50ee59c1c19274b85c7be8b0f8
SHA512:	cf32e15c4f0e706bae9c619b2e106aa5b7e3a85c9643c89a23d47ac94bfe03417cc16d89b53f3e5e6b858df31aaeb9d8bfc5fa6eb09838f25b69ec7dd46b9363
SSDEEP:	49152:RnGMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:1GPoBhz1aRxcSUDk36SA
TLSH:	6936F115A1E82B64E7F36FB2217B871047797E45889B925E1760A04F0C33F5CDEA2F29
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F20D14212FBh
cmp dword ptr [10003140h], 00000000h
jmp 00007F20D1421318h
cmp esi, 01h
je 00007F20D14212F7h
cmp esi, 02h
jne 00007F20D1421314h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F20D14212FBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F20D14212FEh
push edi
push esi
push ebx
call 00007F20D142120Ah
test eax, eax
jne 00007F20D14212F6h
xor eax, eax
jmp 00007F20D1421340h
push edi
push esi
push ebx
call 00007F20D14210BCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F20D14212FEh
test eax, eax
jne 00007F20D1421329h
push edi
push eax
push ebx
call 00007F20D14211E6h
test esi, esi
je 00007F20D14212F7h
cmp esi, 03h
jne 00007F20D1421318h
push edi
push esi
push ebx
call 00007F20D14211D5h
test eax, eax
jne 00007F20D14212F5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F20D1421303h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F20D14212FAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	f6b95d626b2fe810c21037fbec681b3d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8766069412231445

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T23:01:21.914965+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.7	55123	1.1.1.1	53	UDP
2025-01-14T23:01:22.671123+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49705	103.224.212.215	80	TCP
2025-01-14T23:01:25.242495+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49713	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:01:14.859170914 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 23:01:15.280987978 CET	49671	443	192.168.2.7	204.79.197.203
Jan 14, 2025 23:01:15.624711037 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 23:01:15.968588114 CET	49674	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:15.968615055 CET	49675	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:16.093497992 CET	49672	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:17.124769926 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 23:01:20.109385014 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 23:01:22.074084997 CET	49705	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:22.078898907 CET	80	49705	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:22.078963995 CET	49705	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:22.080096006 CET	49705	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:22.084868908 CET	80	49705	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:22.671039104 CET	80	49705	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:22.671123028 CET	49705	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:22.671148062 CET	80	49705	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:22.671291113 CET	49705	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:22.684258938 CET	49705	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:22.689083099 CET	80	49705	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:23.016143084 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.021944046 CET	80	49707	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:23.022011042 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.022124052 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.026859045 CET	80	49707	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:23.475541115 CET	80	49707	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:23.475580931 CET	80	49707	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:23.475601912 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.475624084 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.577929020 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.578496933 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:23.582995892 CET	80	49707	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:23.583041906 CET	49707	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:24.361234903 CET	49713	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:24.591402054 CET	80	49713	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:24.591506004 CET	49713	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:24.591661930 CET	49713	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:24.601845980 CET	80	49713	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:24.705621958 CET	49714	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:24.711014986 CET	80	49714	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:24.711090088 CET	49714	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:24.711371899 CET	49714	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:24.716274023 CET	80	49714	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:24.888298988 CET	49671	443	192.168.2.7	204.79.197.203
Jan 14, 2025 23:01:25.242415905 CET	80	49713	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:25.242481947 CET	80	49713	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:25.242495060 CET	49713	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:25.242549896 CET	49713	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:25.245326996 CET	49713	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:25.246273994 CET	49715	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.250085115 CET	80	49713	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:25.251077890 CET	80	49715	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.251307011 CET	49715	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.251307011 CET	49715	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.256133080 CET	80	49715	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.350713968 CET	80	49714	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:25.350826025 CET	80	49714	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:25.350905895 CET	49714	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:25.354090929 CET	49714	80	192.168.2.7	103.224.212.215
Jan 14, 2025 23:01:25.355901003 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.358885050 CET	80	49714	103.224.212.215	192.168.2.7
Jan 14, 2025 23:01:25.360709906 CET	80	49716	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.363327980 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.363534927 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.368298054 CET	80	49716	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.578201056 CET	49675	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:25.578278065 CET	49674	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:25.703181982 CET	49672	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:25.716434956 CET	80	49715	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.716480970 CET	80	49715	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.716931105 CET	49715	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.722470045 CET	49715	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.722470045 CET	49715	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.754921913 CET	49722	445	192.168.2.7	141.193.184.54
Jan 14, 2025 23:01:25.759814978 CET	445	49722	141.193.184.54	192.168.2.7
Jan 14, 2025 23:01:25.760164976 CET	49722	445	192.168.2.7	141.193.184.54
Jan 14, 2025 23:01:25.760890007 CET	49722	445	192.168.2.7	141.193.184.54
Jan 14, 2025 23:01:25.760890007 CET	49723	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.765806913 CET	445	49722	141.193.184.54	192.168.2.7
Jan 14, 2025 23:01:25.765841961 CET	445	49723	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:25.766200066 CET	49722	445	192.168.2.7	141.193.184.54
Jan 14, 2025 23:01:25.766200066 CET	49723	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.766285896 CET	49723	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.771289110 CET	445	49723	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:25.771373034 CET	49723	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.772840977 CET	49725	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.777651072 CET	445	49725	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:25.777719021 CET	49725	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.777772903 CET	49725	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:25.782596111 CET	445	49725	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:25.824352026 CET	80	49716	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.824409008 CET	80	49716	199.59.243.228	192.168.2.7
Jan 14, 2025 23:01:25.824419022 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.824557066 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.835041046 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:25.835041046 CET	49716	80	192.168.2.7	199.59.243.228
Jan 14, 2025 23:01:26.062571049 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 23:01:27.767133951 CET	49759	445	192.168.2.7	198.110.238.81
Jan 14, 2025 23:01:27.771886110 CET	445	49759	198.110.238.81	192.168.2.7
Jan 14, 2025 23:01:27.771950960 CET	49759	445	192.168.2.7	198.110.238.81
Jan 14, 2025 23:01:27.771990061 CET	49759	445	192.168.2.7	198.110.238.81
Jan 14, 2025 23:01:27.772394896 CET	49760	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.776846886 CET	445	49759	198.110.238.81	192.168.2.7
Jan 14, 2025 23:01:27.776890993 CET	49759	445	192.168.2.7	198.110.238.81
Jan 14, 2025 23:01:27.777200937 CET	445	49760	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:27.777254105 CET	49760	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.777293921 CET	49760	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.778634071 CET	49761	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.782269955 CET	445	49760	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:27.782315969 CET	49760	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.783499002 CET	445	49761	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:27.783545017 CET	49761	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.783585072 CET	49761	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:27.788455009 CET	445	49761	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:28.217452049 CET	443	49704	104.98.116.138	192.168.2.7
Jan 14, 2025 23:01:28.217550993 CET	49704	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:29.788276911 CET	49796	445	192.168.2.7	99.232.202.235
Jan 14, 2025 23:01:29.794910908 CET	445	49796	99.232.202.235	192.168.2.7
Jan 14, 2025 23:01:29.794996023 CET	49796	445	192.168.2.7	99.232.202.235
Jan 14, 2025 23:01:29.802278042 CET	49796	445	192.168.2.7	99.232.202.235
Jan 14, 2025 23:01:29.802599907 CET	49798	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.809349060 CET	445	49798	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:29.809369087 CET	445	49796	99.232.202.235	192.168.2.7
Jan 14, 2025 23:01:29.809456110 CET	49798	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.809475899 CET	49796	445	192.168.2.7	99.232.202.235
Jan 14, 2025 23:01:29.815954924 CET	49798	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.818089008 CET	49799	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.822575092 CET	445	49798	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:29.822635889 CET	49798	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.824737072 CET	445	49799	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:29.824800014 CET	49799	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.824873924 CET	49799	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:29.831572056 CET	445	49799	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:31.798544884 CET	49829	445	192.168.2.7	79.169.8.81
Jan 14, 2025 23:01:31.803344011 CET	445	49829	79.169.8.81	192.168.2.7
Jan 14, 2025 23:01:31.803437948 CET	49829	445	192.168.2.7	79.169.8.81
Jan 14, 2025 23:01:31.803492069 CET	49829	445	192.168.2.7	79.169.8.81
Jan 14, 2025 23:01:31.803697109 CET	49830	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.808722019 CET	445	49830	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:31.808732986 CET	445	49829	79.169.8.81	192.168.2.7
Jan 14, 2025 23:01:31.808805943 CET	49829	445	192.168.2.7	79.169.8.81
Jan 14, 2025 23:01:31.808876991 CET	49830	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.808876991 CET	49830	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.809942961 CET	49831	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.813888073 CET	445	49830	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:31.813946962 CET	49830	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.814872980 CET	445	49831	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:31.814989090 CET	49831	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.815025091 CET	49831	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:31.819736004 CET	445	49831	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:34.072943926 CET	49860	445	192.168.2.7	207.147.9.74
Jan 14, 2025 23:01:34.077831030 CET	445	49860	207.147.9.74	192.168.2.7
Jan 14, 2025 23:01:34.077907085 CET	49860	445	192.168.2.7	207.147.9.74
Jan 14, 2025 23:01:34.107187033 CET	49860	445	192.168.2.7	207.147.9.74
Jan 14, 2025 23:01:34.107217073 CET	49861	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.112030029 CET	445	49861	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:34.112040043 CET	445	49860	207.147.9.74	192.168.2.7
Jan 14, 2025 23:01:34.112128019 CET	49861	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.112128019 CET	49860	445	192.168.2.7	207.147.9.74
Jan 14, 2025 23:01:34.113881111 CET	49861	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.118704081 CET	445	49861	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:34.118765116 CET	49861	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.231554031 CET	49864	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.236443043 CET	445	49864	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:34.236500025 CET	49864	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.237171888 CET	49864	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:34.241930962 CET	445	49864	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:35.970732927 CET	49897	445	192.168.2.7	39.80.197.203
Jan 14, 2025 23:01:35.975560904 CET	445	49897	39.80.197.203	192.168.2.7
Jan 14, 2025 23:01:35.975687981 CET	49897	445	192.168.2.7	39.80.197.203
Jan 14, 2025 23:01:35.975687981 CET	49897	445	192.168.2.7	39.80.197.203
Jan 14, 2025 23:01:35.975965977 CET	49898	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.980696917 CET	445	49897	39.80.197.203	192.168.2.7
Jan 14, 2025 23:01:35.980768919 CET	445	49898	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:35.980808020 CET	49897	445	192.168.2.7	39.80.197.203
Jan 14, 2025 23:01:35.980849981 CET	49898	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.980873108 CET	49898	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.983261108 CET	49899	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.985774994 CET	445	49898	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:35.985841990 CET	49898	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.988039017 CET	445	49899	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:35.989233017 CET	49899	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.989233017 CET	49899	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:35.993995905 CET	445	49899	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:36.573551893 CET	49704	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:36.573857069 CET	49912	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:36.573955059 CET	443	49912	104.98.116.138	192.168.2.7
Jan 14, 2025 23:01:36.574038029 CET	49912	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:36.577647924 CET	49912	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:01:36.577682018 CET	443	49912	104.98.116.138	192.168.2.7
Jan 14, 2025 23:01:36.578355074 CET	443	49704	104.98.116.138	192.168.2.7
Jan 14, 2025 23:01:37.969254971 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 23:01:37.987736940 CET	49932	445	192.168.2.7	140.192.249.69
Jan 14, 2025 23:01:37.993165970 CET	445	49932	140.192.249.69	192.168.2.7
Jan 14, 2025 23:01:37.993231058 CET	49932	445	192.168.2.7	140.192.249.69
Jan 14, 2025 23:01:37.993311882 CET	49932	445	192.168.2.7	140.192.249.69
Jan 14, 2025 23:01:37.993441105 CET	49933	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:37.998307943 CET	445	49933	140.192.249.1	192.168.2.7
Jan 14, 2025 23:01:37.998402119 CET	49933	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:37.998403072 CET	49933	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:37.998419046 CET	445	49932	140.192.249.69	192.168.2.7
Jan 14, 2025 23:01:37.998470068 CET	49932	445	192.168.2.7	140.192.249.69
Jan 14, 2025 23:01:37.998744011 CET	49934	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:38.003520012 CET	445	49933	140.192.249.1	192.168.2.7
Jan 14, 2025 23:01:38.003557920 CET	445	49934	140.192.249.1	192.168.2.7
Jan 14, 2025 23:01:38.003595114 CET	49933	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:38.003614902 CET	49934	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:38.003628016 CET	49934	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:38.008444071 CET	445	49934	140.192.249.1	192.168.2.7
Jan 14, 2025 23:01:40.003591061 CET	49971	445	192.168.2.7	71.53.117.51
Jan 14, 2025 23:01:40.008404016 CET	445	49971	71.53.117.51	192.168.2.7
Jan 14, 2025 23:01:40.008526087 CET	49971	445	192.168.2.7	71.53.117.51
Jan 14, 2025 23:01:40.008610964 CET	49971	445	192.168.2.7	71.53.117.51
Jan 14, 2025 23:01:40.008718967 CET	49972	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.013396025 CET	445	49971	71.53.117.51	192.168.2.7
Jan 14, 2025 23:01:40.013514042 CET	445	49972	71.53.117.1	192.168.2.7
Jan 14, 2025 23:01:40.013551950 CET	445	49971	71.53.117.51	192.168.2.7
Jan 14, 2025 23:01:40.013581991 CET	49972	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.013711929 CET	49972	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.013786077 CET	49971	445	192.168.2.7	71.53.117.51
Jan 14, 2025 23:01:40.013994932 CET	49973	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.018753052 CET	445	49972	71.53.117.1	192.168.2.7
Jan 14, 2025 23:01:40.018811941 CET	49972	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.018940926 CET	445	49973	71.53.117.1	192.168.2.7
Jan 14, 2025 23:01:40.019109011 CET	49973	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.019165993 CET	49973	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:01:40.023993969 CET	445	49973	71.53.117.1	192.168.2.7
Jan 14, 2025 23:01:42.016896009 CET	50005	445	192.168.2.7	59.130.120.189
Jan 14, 2025 23:01:42.021930933 CET	445	50005	59.130.120.189	192.168.2.7
Jan 14, 2025 23:01:42.022042036 CET	50005	445	192.168.2.7	59.130.120.189
Jan 14, 2025 23:01:42.022089005 CET	50005	445	192.168.2.7	59.130.120.189
Jan 14, 2025 23:01:42.022224903 CET	50006	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.027400017 CET	445	50006	59.130.120.1	192.168.2.7
Jan 14, 2025 23:01:42.027411938 CET	445	50005	59.130.120.189	192.168.2.7
Jan 14, 2025 23:01:42.027476072 CET	50005	445	192.168.2.7	59.130.120.189
Jan 14, 2025 23:01:42.027544022 CET	50006	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.027544022 CET	50006	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.027750015 CET	50007	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.032532930 CET	445	50007	59.130.120.1	192.168.2.7
Jan 14, 2025 23:01:42.032630920 CET	50007	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.032630920 CET	50007	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.032819033 CET	445	50006	59.130.120.1	192.168.2.7
Jan 14, 2025 23:01:42.032861948 CET	50006	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:01:42.037408113 CET	445	50007	59.130.120.1	192.168.2.7
Jan 14, 2025 23:01:44.032547951 CET	50045	445	192.168.2.7	152.147.57.183
Jan 14, 2025 23:01:44.038532972 CET	445	50045	152.147.57.183	192.168.2.7
Jan 14, 2025 23:01:44.038614035 CET	50045	445	192.168.2.7	152.147.57.183
Jan 14, 2025 23:01:44.038649082 CET	50045	445	192.168.2.7	152.147.57.183
Jan 14, 2025 23:01:44.038861036 CET	50046	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.044879913 CET	445	50045	152.147.57.183	192.168.2.7
Jan 14, 2025 23:01:44.044895887 CET	445	50046	152.147.57.1	192.168.2.7
Jan 14, 2025 23:01:44.044961929 CET	50045	445	192.168.2.7	152.147.57.183
Jan 14, 2025 23:01:44.045038939 CET	50046	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.045121908 CET	50046	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.045703888 CET	50047	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.050020933 CET	445	50046	152.147.57.1	192.168.2.7
Jan 14, 2025 23:01:44.050074100 CET	50046	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.050549030 CET	445	50047	152.147.57.1	192.168.2.7
Jan 14, 2025 23:01:44.050757885 CET	50047	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.050801039 CET	50047	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:01:44.055514097 CET	445	50047	152.147.57.1	192.168.2.7
Jan 14, 2025 23:01:46.048202991 CET	50079	445	192.168.2.7	58.100.254.22
Jan 14, 2025 23:01:46.052982092 CET	445	50079	58.100.254.22	192.168.2.7
Jan 14, 2025 23:01:46.053071976 CET	50079	445	192.168.2.7	58.100.254.22
Jan 14, 2025 23:01:46.053155899 CET	50079	445	192.168.2.7	58.100.254.22
Jan 14, 2025 23:01:46.053343058 CET	50080	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.058130980 CET	445	50080	58.100.254.1	192.168.2.7
Jan 14, 2025 23:01:46.058191061 CET	50080	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.058212042 CET	50080	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.058444977 CET	50081	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.059006929 CET	445	50079	58.100.254.22	192.168.2.7
Jan 14, 2025 23:01:46.059065104 CET	50079	445	192.168.2.7	58.100.254.22
Jan 14, 2025 23:01:46.063138008 CET	445	50080	58.100.254.1	192.168.2.7
Jan 14, 2025 23:01:46.063189983 CET	50080	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.063194990 CET	445	50081	58.100.254.1	192.168.2.7
Jan 14, 2025 23:01:46.063369036 CET	50081	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.063369036 CET	50081	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:01:46.068191051 CET	445	50081	58.100.254.1	192.168.2.7
Jan 14, 2025 23:01:47.136310101 CET	445	49725	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:47.136476994 CET	49725	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:47.136476994 CET	49725	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:47.136559010 CET	49725	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:47.141403913 CET	445	49725	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:47.141438961 CET	445	49725	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:48.065383911 CET	50117	445	192.168.2.7	102.252.16.166
Jan 14, 2025 23:01:48.070274115 CET	445	50117	102.252.16.166	192.168.2.7
Jan 14, 2025 23:01:48.070363045 CET	50117	445	192.168.2.7	102.252.16.166
Jan 14, 2025 23:01:48.070435047 CET	50117	445	192.168.2.7	102.252.16.166
Jan 14, 2025 23:01:48.070611954 CET	50119	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.075366974 CET	445	50117	102.252.16.166	192.168.2.7
Jan 14, 2025 23:01:48.075423956 CET	445	50119	102.252.16.1	192.168.2.7
Jan 14, 2025 23:01:48.075454950 CET	50117	445	192.168.2.7	102.252.16.166
Jan 14, 2025 23:01:48.075494051 CET	50119	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.075562000 CET	50119	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.075917006 CET	50120	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.080360889 CET	445	50119	102.252.16.1	192.168.2.7
Jan 14, 2025 23:01:48.080421925 CET	50119	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.080698967 CET	445	50120	102.252.16.1	192.168.2.7
Jan 14, 2025 23:01:48.080765009 CET	50120	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.080828905 CET	50120	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:01:48.085546970 CET	445	50120	102.252.16.1	192.168.2.7
Jan 14, 2025 23:01:49.169904947 CET	445	49761	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:49.169986010 CET	49761	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:49.170049906 CET	49761	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:49.170157909 CET	49761	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:49.174767017 CET	445	49761	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:49.174874067 CET	445	49761	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:50.079982996 CET	50155	445	192.168.2.7	67.118.253.243
Jan 14, 2025 23:01:50.084872961 CET	445	50155	67.118.253.243	192.168.2.7
Jan 14, 2025 23:01:50.084939957 CET	50155	445	192.168.2.7	67.118.253.243
Jan 14, 2025 23:01:50.084980965 CET	50155	445	192.168.2.7	67.118.253.243
Jan 14, 2025 23:01:50.085098028 CET	50156	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.089907885 CET	445	50156	67.118.253.1	192.168.2.7
Jan 14, 2025 23:01:50.089917898 CET	445	50155	67.118.253.243	192.168.2.7
Jan 14, 2025 23:01:50.089986086 CET	50155	445	192.168.2.7	67.118.253.243
Jan 14, 2025 23:01:50.089992046 CET	50156	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.090058088 CET	50156	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.090346098 CET	50157	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.094948053 CET	445	50156	67.118.253.1	192.168.2.7
Jan 14, 2025 23:01:50.094990969 CET	50156	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.095164061 CET	445	50157	67.118.253.1	192.168.2.7
Jan 14, 2025 23:01:50.095230103 CET	50157	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.095268965 CET	50157	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:01:50.100044012 CET	445	50157	67.118.253.1	192.168.2.7
Jan 14, 2025 23:01:50.141942024 CET	50160	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:50.146821022 CET	445	50160	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:50.146909952 CET	50160	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:50.146956921 CET	50160	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:01:50.151743889 CET	445	50160	141.193.184.1	192.168.2.7
Jan 14, 2025 23:01:51.216571093 CET	445	49799	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:51.216706991 CET	49799	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:51.216809034 CET	49799	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:51.216809034 CET	49799	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:51.221796989 CET	445	49799	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:51.221818924 CET	445	49799	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:52.116838932 CET	50181	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.121646881 CET	445	50181	221.226.81.1	192.168.2.7
Jan 14, 2025 23:01:52.121766090 CET	50181	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.121799946 CET	50181	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.121931076 CET	50182	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.126713037 CET	445	50182	221.226.81.1	192.168.2.7
Jan 14, 2025 23:01:52.126766920 CET	50182	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.126810074 CET	50182	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.126981974 CET	445	50181	221.226.81.1	192.168.2.7
Jan 14, 2025 23:01:52.127115011 CET	50181	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.127340078 CET	50183	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.131820917 CET	445	50182	221.226.81.1	192.168.2.7
Jan 14, 2025 23:01:52.131870985 CET	50182	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.132097006 CET	445	50183	221.226.81.1	192.168.2.7
Jan 14, 2025 23:01:52.132167101 CET	50183	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.132167101 CET	50183	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:01:52.137001038 CET	445	50183	221.226.81.1	192.168.2.7
Jan 14, 2025 23:01:52.187174082 CET	50184	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:52.191925049 CET	445	50184	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:52.191991091 CET	50184	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:52.192050934 CET	50184	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:01:52.196769953 CET	445	50184	198.110.238.1	192.168.2.7
Jan 14, 2025 23:01:53.167924881 CET	445	49831	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:53.167998075 CET	49831	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:53.170617104 CET	49831	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:53.170681953 CET	49831	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:53.175447941 CET	445	49831	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:53.175457954 CET	445	49831	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:54.111216068 CET	50196	445	192.168.2.7	102.242.240.207
Jan 14, 2025 23:01:54.116430044 CET	445	50196	102.242.240.207	192.168.2.7
Jan 14, 2025 23:01:54.116518021 CET	50196	445	192.168.2.7	102.242.240.207
Jan 14, 2025 23:01:54.116564989 CET	50196	445	192.168.2.7	102.242.240.207
Jan 14, 2025 23:01:54.116688967 CET	50197	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.121567965 CET	445	50197	102.242.240.1	192.168.2.7
Jan 14, 2025 23:01:54.121711016 CET	445	50196	102.242.240.207	192.168.2.7
Jan 14, 2025 23:01:54.121743917 CET	50197	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.121783018 CET	50196	445	192.168.2.7	102.242.240.207
Jan 14, 2025 23:01:54.121859074 CET	50197	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.122142076 CET	50198	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.126739025 CET	445	50197	102.242.240.1	192.168.2.7
Jan 14, 2025 23:01:54.126802921 CET	50197	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.127019882 CET	445	50198	102.242.240.1	192.168.2.7
Jan 14, 2025 23:01:54.127091885 CET	50198	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.127121925 CET	50198	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:01:54.132606983 CET	445	50198	102.242.240.1	192.168.2.7
Jan 14, 2025 23:01:54.220312119 CET	50201	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:54.227456093 CET	445	50201	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:54.227600098 CET	50201	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:54.227658987 CET	50201	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:01:54.232445002 CET	445	50201	99.232.202.1	192.168.2.7
Jan 14, 2025 23:01:55.590025902 CET	445	49864	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:55.590123892 CET	49864	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:55.602873087 CET	49864	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:55.602997065 CET	49864	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:55.607660055 CET	445	49864	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:55.607810020 CET	445	49864	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:56.131459951 CET	50214	445	192.168.2.7	148.67.37.27
Jan 14, 2025 23:01:56.136398077 CET	445	50214	148.67.37.27	192.168.2.7
Jan 14, 2025 23:01:56.136476994 CET	50214	445	192.168.2.7	148.67.37.27
Jan 14, 2025 23:01:56.153240919 CET	50214	445	192.168.2.7	148.67.37.27
Jan 14, 2025 23:01:56.153438091 CET	50215	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.158221960 CET	445	50214	148.67.37.27	192.168.2.7
Jan 14, 2025 23:01:56.158289909 CET	50214	445	192.168.2.7	148.67.37.27
Jan 14, 2025 23:01:56.158313036 CET	445	50215	148.67.37.1	192.168.2.7
Jan 14, 2025 23:01:56.158379078 CET	50215	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.167176008 CET	50215	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.167454004 CET	50216	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.172307014 CET	445	50215	148.67.37.1	192.168.2.7
Jan 14, 2025 23:01:56.172349930 CET	445	50216	148.67.37.1	192.168.2.7
Jan 14, 2025 23:01:56.172386885 CET	50215	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.172418118 CET	50216	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.178951979 CET	50216	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:01:56.179189920 CET	50217	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:56.183800936 CET	445	50216	148.67.37.1	192.168.2.7
Jan 14, 2025 23:01:56.184113026 CET	445	50217	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:56.184184074 CET	50217	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:56.186871052 CET	50217	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:01:56.191723108 CET	445	50217	79.169.8.1	192.168.2.7
Jan 14, 2025 23:01:57.371274948 CET	445	49899	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:57.374064922 CET	49899	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:57.374166965 CET	49899	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:57.374248981 CET	49899	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:01:57.378969908 CET	445	49899	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:57.379026890 CET	445	49899	39.80.197.1	192.168.2.7
Jan 14, 2025 23:01:58.142229080 CET	50230	445	192.168.2.7	53.1.126.57
Jan 14, 2025 23:01:58.147156954 CET	445	50230	53.1.126.57	192.168.2.7
Jan 14, 2025 23:01:58.147229910 CET	50230	445	192.168.2.7	53.1.126.57
Jan 14, 2025 23:01:58.147252083 CET	50230	445	192.168.2.7	53.1.126.57
Jan 14, 2025 23:01:58.147452116 CET	50231	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.152226925 CET	445	50230	53.1.126.57	192.168.2.7
Jan 14, 2025 23:01:58.152290106 CET	50230	445	192.168.2.7	53.1.126.57
Jan 14, 2025 23:01:58.152318954 CET	445	50231	53.1.126.1	192.168.2.7
Jan 14, 2025 23:01:58.152395010 CET	50231	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.152395010 CET	50231	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.152690887 CET	50232	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.157490015 CET	445	50231	53.1.126.1	192.168.2.7
Jan 14, 2025 23:01:58.157553911 CET	50231	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.157643080 CET	445	50232	53.1.126.1	192.168.2.7
Jan 14, 2025 23:01:58.157706022 CET	50232	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.157723904 CET	50232	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:01:58.162576914 CET	445	50232	53.1.126.1	192.168.2.7
Jan 14, 2025 23:01:58.610907078 CET	50236	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:58.615870953 CET	445	50236	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:58.616002083 CET	50236	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:58.616035938 CET	50236	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:01:58.621550083 CET	445	50236	207.147.9.1	192.168.2.7
Jan 14, 2025 23:01:59.388895035 CET	445	49934	140.192.249.1	192.168.2.7
Jan 14, 2025 23:01:59.388988972 CET	49934	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:59.389204025 CET	49934	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:59.389204025 CET	49934	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:01:59.394045115 CET	445	49934	140.192.249.1	192.168.2.7
Jan 14, 2025 23:01:59.394099951 CET	445	49934	140.192.249.1	192.168.2.7
Jan 14, 2025 23:02:00.158679962 CET	50247	445	192.168.2.7	130.143.132.21
Jan 14, 2025 23:02:00.163528919 CET	445	50247	130.143.132.21	192.168.2.7
Jan 14, 2025 23:02:00.163605928 CET	50247	445	192.168.2.7	130.143.132.21
Jan 14, 2025 23:02:00.163778067 CET	50247	445	192.168.2.7	130.143.132.21
Jan 14, 2025 23:02:00.163928986 CET	50248	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.168562889 CET	445	50247	130.143.132.21	192.168.2.7
Jan 14, 2025 23:02:00.168629885 CET	50247	445	192.168.2.7	130.143.132.21
Jan 14, 2025 23:02:00.168759108 CET	445	50248	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:00.168808937 CET	50248	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.168884039 CET	50248	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.169243097 CET	50249	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.173697948 CET	445	50248	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:00.173738956 CET	50248	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.174071074 CET	445	50249	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:00.174129963 CET	50249	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.174149990 CET	50249	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:00.179064035 CET	445	50249	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:00.376605988 CET	50250	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:02:00.381541014 CET	445	50250	39.80.197.1	192.168.2.7
Jan 14, 2025 23:02:00.381633043 CET	50250	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:02:00.381691933 CET	50250	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:02:00.388720989 CET	445	50250	39.80.197.1	192.168.2.7
Jan 14, 2025 23:02:01.423940897 CET	445	49973	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:01.424022913 CET	49973	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:01.424087048 CET	49973	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:01.424249887 CET	49973	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:01.428864002 CET	445	49973	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:01.429126024 CET	445	49973	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:02.033312082 CET	50263	445	192.168.2.7	70.226.142.101
Jan 14, 2025 23:02:02.038193941 CET	445	50263	70.226.142.101	192.168.2.7
Jan 14, 2025 23:02:02.038391113 CET	50263	445	192.168.2.7	70.226.142.101
Jan 14, 2025 23:02:02.038391113 CET	50263	445	192.168.2.7	70.226.142.101
Jan 14, 2025 23:02:02.038391113 CET	50264	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.043585062 CET	445	50264	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:02.043770075 CET	445	50263	70.226.142.101	192.168.2.7
Jan 14, 2025 23:02:02.043785095 CET	50264	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.043785095 CET	50264	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.043831110 CET	50263	445	192.168.2.7	70.226.142.101
Jan 14, 2025 23:02:02.043906927 CET	50265	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.049155951 CET	445	50265	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:02.049243927 CET	50265	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.049254894 CET	445	50264	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:02.049280882 CET	50265	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.049432039 CET	50264	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:02.054455042 CET	445	50265	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:02.392174006 CET	50269	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:02:02.397242069 CET	445	50269	140.192.249.1	192.168.2.7
Jan 14, 2025 23:02:02.397358894 CET	50269	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:02:02.397397995 CET	50269	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:02:02.402338028 CET	445	50269	140.192.249.1	192.168.2.7
Jan 14, 2025 23:02:03.436161995 CET	445	50007	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:03.436248064 CET	50007	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:03.445348978 CET	50007	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:03.445403099 CET	50007	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:03.450259924 CET	445	50007	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:03.450299978 CET	445	50007	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:03.790019989 CET	50275	445	192.168.2.7	149.20.247.102
Jan 14, 2025 23:02:03.794895887 CET	445	50275	149.20.247.102	192.168.2.7
Jan 14, 2025 23:02:03.794956923 CET	50275	445	192.168.2.7	149.20.247.102
Jan 14, 2025 23:02:03.796916962 CET	50275	445	192.168.2.7	149.20.247.102
Jan 14, 2025 23:02:03.797086954 CET	50276	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.801734924 CET	445	50275	149.20.247.102	192.168.2.7
Jan 14, 2025 23:02:03.801781893 CET	50275	445	192.168.2.7	149.20.247.102
Jan 14, 2025 23:02:03.801920891 CET	445	50276	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:03.801974058 CET	50276	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.805161953 CET	50276	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.805388927 CET	50277	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.810081959 CET	445	50276	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:03.810129881 CET	50276	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.810209990 CET	445	50277	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:03.810267925 CET	50277	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.810286045 CET	50277	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:03.815051079 CET	445	50277	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:04.439189911 CET	50283	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:04.444040060 CET	445	50283	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:04.445012093 CET	50283	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:04.445054054 CET	50283	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:04.449904919 CET	445	50283	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:05.419792891 CET	445	50047	152.147.57.1	192.168.2.7
Jan 14, 2025 23:02:05.419862986 CET	50047	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:05.419905901 CET	50047	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:05.419953108 CET	50047	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:05.423741102 CET	50289	445	192.168.2.7	63.48.67.31
Jan 14, 2025 23:02:05.425837040 CET	445	50047	152.147.57.1	192.168.2.7
Jan 14, 2025 23:02:05.425868034 CET	445	50047	152.147.57.1	192.168.2.7
Jan 14, 2025 23:02:05.429685116 CET	445	50289	63.48.67.31	192.168.2.7
Jan 14, 2025 23:02:05.429755926 CET	50289	445	192.168.2.7	63.48.67.31
Jan 14, 2025 23:02:05.429776907 CET	50289	445	192.168.2.7	63.48.67.31
Jan 14, 2025 23:02:05.429914951 CET	50290	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.436014891 CET	445	50290	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:05.436077118 CET	50290	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.436096907 CET	50290	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.436167955 CET	445	50289	63.48.67.31	192.168.2.7
Jan 14, 2025 23:02:05.436217070 CET	50289	445	192.168.2.7	63.48.67.31
Jan 14, 2025 23:02:05.436301947 CET	50291	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.441134930 CET	445	50290	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:05.441168070 CET	445	50291	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:05.441184998 CET	50290	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.441217899 CET	50291	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.441239119 CET	50291	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:05.446158886 CET	445	50291	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:06.454838037 CET	50298	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:06.459918976 CET	445	50298	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:06.459989071 CET	50298	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:06.460026979 CET	50298	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:06.465176105 CET	445	50298	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:06.955308914 CET	50302	445	192.168.2.7	126.112.145.183
Jan 14, 2025 23:02:06.960376024 CET	445	50302	126.112.145.183	192.168.2.7
Jan 14, 2025 23:02:06.960485935 CET	50302	445	192.168.2.7	126.112.145.183
Jan 14, 2025 23:02:06.960544109 CET	50302	445	192.168.2.7	126.112.145.183
Jan 14, 2025 23:02:06.960787058 CET	50303	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.965502024 CET	445	50302	126.112.145.183	192.168.2.7
Jan 14, 2025 23:02:06.965573072 CET	50302	445	192.168.2.7	126.112.145.183
Jan 14, 2025 23:02:06.965615034 CET	445	50303	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:06.965679884 CET	50303	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.965714931 CET	50303	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.966020107 CET	50304	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.970861912 CET	445	50304	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:06.970889091 CET	445	50303	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:06.970957994 CET	50304	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.971010923 CET	50304	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.971018076 CET	50303	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:06.975843906 CET	445	50304	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:07.418718100 CET	445	50081	58.100.254.1	192.168.2.7
Jan 14, 2025 23:02:07.418838978 CET	50081	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:07.418915033 CET	50081	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:07.419008017 CET	50081	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:07.423773050 CET	445	50081	58.100.254.1	192.168.2.7
Jan 14, 2025 23:02:07.423825026 CET	445	50081	58.100.254.1	192.168.2.7
Jan 14, 2025 23:02:08.377764940 CET	50313	445	192.168.2.7	59.193.85.172
Jan 14, 2025 23:02:08.382637024 CET	445	50313	59.193.85.172	192.168.2.7
Jan 14, 2025 23:02:08.382765055 CET	50313	445	192.168.2.7	59.193.85.172
Jan 14, 2025 23:02:08.382920027 CET	50313	445	192.168.2.7	59.193.85.172
Jan 14, 2025 23:02:08.383162975 CET	50314	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.387877941 CET	445	50313	59.193.85.172	192.168.2.7
Jan 14, 2025 23:02:08.387955904 CET	50313	445	192.168.2.7	59.193.85.172
Jan 14, 2025 23:02:08.388000965 CET	445	50314	59.193.85.1	192.168.2.7
Jan 14, 2025 23:02:08.388072968 CET	50314	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.388169050 CET	50314	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.388542891 CET	50315	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.394150972 CET	445	50314	59.193.85.1	192.168.2.7
Jan 14, 2025 23:02:08.394184113 CET	445	50315	59.193.85.1	192.168.2.7
Jan 14, 2025 23:02:08.394207954 CET	50314	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.394260883 CET	50315	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.394310951 CET	50315	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:08.400316000 CET	445	50315	59.193.85.1	192.168.2.7
Jan 14, 2025 23:02:08.423721075 CET	50316	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:08.430896044 CET	445	50316	152.147.57.1	192.168.2.7
Jan 14, 2025 23:02:08.430989981 CET	50316	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:08.431026936 CET	50316	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:08.435856104 CET	445	50316	152.147.57.1	192.168.2.7
Jan 14, 2025 23:02:09.434504986 CET	445	50120	102.252.16.1	192.168.2.7
Jan 14, 2025 23:02:09.434588909 CET	50120	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:09.434638977 CET	50120	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:09.434700966 CET	50120	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:09.439507008 CET	445	50120	102.252.16.1	192.168.2.7
Jan 14, 2025 23:02:09.439539909 CET	445	50120	102.252.16.1	192.168.2.7
Jan 14, 2025 23:02:09.705212116 CET	50317	445	192.168.2.7	130.184.107.238
Jan 14, 2025 23:02:09.710361958 CET	445	50317	130.184.107.238	192.168.2.7
Jan 14, 2025 23:02:09.710546017 CET	50317	445	192.168.2.7	130.184.107.238
Jan 14, 2025 23:02:09.710583925 CET	50317	445	192.168.2.7	130.184.107.238
Jan 14, 2025 23:02:09.710746050 CET	50318	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.715703011 CET	445	50317	130.184.107.238	192.168.2.7
Jan 14, 2025 23:02:09.715739012 CET	445	50318	130.184.107.1	192.168.2.7
Jan 14, 2025 23:02:09.715765953 CET	50317	445	192.168.2.7	130.184.107.238
Jan 14, 2025 23:02:09.715811968 CET	50318	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.715915918 CET	50318	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.716202021 CET	50319	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.721110106 CET	445	50319	130.184.107.1	192.168.2.7
Jan 14, 2025 23:02:09.721175909 CET	50319	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.721256018 CET	445	50318	130.184.107.1	192.168.2.7
Jan 14, 2025 23:02:09.721312046 CET	50318	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.721323013 CET	50319	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:09.726141930 CET	445	50319	130.184.107.1	192.168.2.7
Jan 14, 2025 23:02:10.423743963 CET	50320	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:10.428812981 CET	445	50320	58.100.254.1	192.168.2.7
Jan 14, 2025 23:02:10.428884983 CET	50320	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:10.428927898 CET	50320	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:10.433772087 CET	445	50320	58.100.254.1	192.168.2.7
Jan 14, 2025 23:02:10.939614058 CET	50321	445	192.168.2.7	206.169.28.154
Jan 14, 2025 23:02:10.944722891 CET	445	50321	206.169.28.154	192.168.2.7
Jan 14, 2025 23:02:10.944814920 CET	50321	445	192.168.2.7	206.169.28.154
Jan 14, 2025 23:02:10.944844007 CET	50321	445	192.168.2.7	206.169.28.154
Jan 14, 2025 23:02:10.945038080 CET	50322	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.950014114 CET	445	50322	206.169.28.1	192.168.2.7
Jan 14, 2025 23:02:10.950048923 CET	445	50321	206.169.28.154	192.168.2.7
Jan 14, 2025 23:02:10.950087070 CET	50322	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.950103998 CET	50321	445	192.168.2.7	206.169.28.154
Jan 14, 2025 23:02:10.950182915 CET	50322	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.950582981 CET	50323	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.955552101 CET	445	50323	206.169.28.1	192.168.2.7
Jan 14, 2025 23:02:10.955583096 CET	445	50322	206.169.28.1	192.168.2.7
Jan 14, 2025 23:02:10.955626965 CET	50323	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.955645084 CET	50322	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.955673933 CET	50323	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:10.960505009 CET	445	50323	206.169.28.1	192.168.2.7
Jan 14, 2025 23:02:11.469803095 CET	445	50157	67.118.253.1	192.168.2.7
Jan 14, 2025 23:02:11.470078945 CET	50157	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:11.470078945 CET	50157	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:11.470078945 CET	50157	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:11.475150108 CET	445	50157	67.118.253.1	192.168.2.7
Jan 14, 2025 23:02:11.475162983 CET	445	50157	67.118.253.1	192.168.2.7
Jan 14, 2025 23:02:11.512772083 CET	445	50160	141.193.184.1	192.168.2.7
Jan 14, 2025 23:02:11.512958050 CET	50160	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:02:11.513030052 CET	50160	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:02:11.513086081 CET	50160	445	192.168.2.7	141.193.184.1
Jan 14, 2025 23:02:11.517843008 CET	445	50160	141.193.184.1	192.168.2.7
Jan 14, 2025 23:02:11.517869949 CET	445	50160	141.193.184.1	192.168.2.7
Jan 14, 2025 23:02:11.564547062 CET	50324	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.569420099 CET	445	50324	141.193.184.2	192.168.2.7
Jan 14, 2025 23:02:11.569492102 CET	50324	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.569547892 CET	50324	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.569802999 CET	50325	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.574609995 CET	445	50324	141.193.184.2	192.168.2.7
Jan 14, 2025 23:02:11.574620008 CET	445	50325	141.193.184.2	192.168.2.7
Jan 14, 2025 23:02:11.574661970 CET	50324	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.574682951 CET	50325	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.574734926 CET	50325	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:11.579471111 CET	445	50325	141.193.184.2	192.168.2.7
Jan 14, 2025 23:02:12.101903915 CET	50326	445	192.168.2.7	132.251.70.33
Jan 14, 2025 23:02:12.106758118 CET	445	50326	132.251.70.33	192.168.2.7
Jan 14, 2025 23:02:12.106832981 CET	50326	445	192.168.2.7	132.251.70.33
Jan 14, 2025 23:02:12.106924057 CET	50326	445	192.168.2.7	132.251.70.33
Jan 14, 2025 23:02:12.107089043 CET	50327	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.111890078 CET	445	50326	132.251.70.33	192.168.2.7
Jan 14, 2025 23:02:12.111901999 CET	445	50327	132.251.70.1	192.168.2.7
Jan 14, 2025 23:02:12.111937046 CET	50326	445	192.168.2.7	132.251.70.33
Jan 14, 2025 23:02:12.111970901 CET	50327	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.112052917 CET	50327	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.116884947 CET	50328	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.117237091 CET	445	50327	132.251.70.1	192.168.2.7
Jan 14, 2025 23:02:12.117279053 CET	50327	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.121745110 CET	445	50328	132.251.70.1	192.168.2.7
Jan 14, 2025 23:02:12.121793032 CET	50328	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.121820927 CET	50328	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:12.126590967 CET	445	50328	132.251.70.1	192.168.2.7
Jan 14, 2025 23:02:12.442528009 CET	50329	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:12.447290897 CET	445	50329	102.252.16.1	192.168.2.7
Jan 14, 2025 23:02:12.447385073 CET	50329	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:12.447416067 CET	50329	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:12.452157021 CET	445	50329	102.252.16.1	192.168.2.7
Jan 14, 2025 23:02:13.329467058 CET	50330	445	192.168.2.7	109.143.164.166
Jan 14, 2025 23:02:13.334217072 CET	445	50330	109.143.164.166	192.168.2.7
Jan 14, 2025 23:02:13.334278107 CET	50330	445	192.168.2.7	109.143.164.166
Jan 14, 2025 23:02:13.334351063 CET	50330	445	192.168.2.7	109.143.164.166
Jan 14, 2025 23:02:13.334481955 CET	50331	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.339240074 CET	445	50330	109.143.164.166	192.168.2.7
Jan 14, 2025 23:02:13.339262962 CET	445	50331	109.143.164.1	192.168.2.7
Jan 14, 2025 23:02:13.339286089 CET	50330	445	192.168.2.7	109.143.164.166
Jan 14, 2025 23:02:13.339332104 CET	50331	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.339437962 CET	50331	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.344232082 CET	445	50331	109.143.164.1	192.168.2.7
Jan 14, 2025 23:02:13.344278097 CET	50331	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.408323050 CET	50332	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.413227081 CET	445	50332	109.143.164.1	192.168.2.7
Jan 14, 2025 23:02:13.413311958 CET	50332	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.413363934 CET	50332	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:13.418163061 CET	445	50332	109.143.164.1	192.168.2.7
Jan 14, 2025 23:02:13.518467903 CET	445	50183	221.226.81.1	192.168.2.7
Jan 14, 2025 23:02:13.518541098 CET	50183	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:13.518570900 CET	50183	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:13.518618107 CET	50183	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:13.523375988 CET	445	50183	221.226.81.1	192.168.2.7
Jan 14, 2025 23:02:13.523386002 CET	445	50183	221.226.81.1	192.168.2.7
Jan 14, 2025 23:02:13.561347008 CET	445	50184	198.110.238.1	192.168.2.7
Jan 14, 2025 23:02:13.561404943 CET	50184	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:02:13.561480999 CET	50184	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:02:13.561572075 CET	50184	445	192.168.2.7	198.110.238.1
Jan 14, 2025 23:02:13.566230059 CET	445	50184	198.110.238.1	192.168.2.7
Jan 14, 2025 23:02:13.566375971 CET	445	50184	198.110.238.1	192.168.2.7
Jan 14, 2025 23:02:13.627127886 CET	50333	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.631977081 CET	445	50333	198.110.238.2	192.168.2.7
Jan 14, 2025 23:02:13.632065058 CET	50333	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.632091999 CET	50333	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.632606983 CET	50334	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.637907028 CET	445	50334	198.110.238.2	192.168.2.7
Jan 14, 2025 23:02:13.637979984 CET	50334	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.637984037 CET	445	50333	198.110.238.2	192.168.2.7
Jan 14, 2025 23:02:13.638015032 CET	50334	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.638086081 CET	50333	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:13.643021107 CET	445	50334	198.110.238.2	192.168.2.7
Jan 14, 2025 23:02:14.283557892 CET	50335	445	192.168.2.7	219.56.238.165
Jan 14, 2025 23:02:14.288436890 CET	445	50335	219.56.238.165	192.168.2.7
Jan 14, 2025 23:02:14.288535118 CET	50335	445	192.168.2.7	219.56.238.165
Jan 14, 2025 23:02:14.288583994 CET	50335	445	192.168.2.7	219.56.238.165
Jan 14, 2025 23:02:14.288800955 CET	50336	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.293668985 CET	445	50336	219.56.238.1	192.168.2.7
Jan 14, 2025 23:02:14.293740034 CET	50336	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.293827057 CET	445	50335	219.56.238.165	192.168.2.7
Jan 14, 2025 23:02:14.293847084 CET	50336	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.293880939 CET	50335	445	192.168.2.7	219.56.238.165
Jan 14, 2025 23:02:14.294354916 CET	50337	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.300122976 CET	445	50337	219.56.238.1	192.168.2.7
Jan 14, 2025 23:02:14.300154924 CET	445	50336	219.56.238.1	192.168.2.7
Jan 14, 2025 23:02:14.300206900 CET	50337	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.300225019 CET	50336	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.300259113 CET	50337	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:14.306236029 CET	445	50337	219.56.238.1	192.168.2.7
Jan 14, 2025 23:02:14.471267939 CET	50338	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:14.476315022 CET	445	50338	67.118.253.1	192.168.2.7
Jan 14, 2025 23:02:14.476402998 CET	50338	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:14.476486921 CET	50338	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:14.481276989 CET	445	50338	67.118.253.1	192.168.2.7
Jan 14, 2025 23:02:15.221841097 CET	50340	445	192.168.2.7	182.19.215.54
Jan 14, 2025 23:02:15.226957083 CET	445	50340	182.19.215.54	192.168.2.7
Jan 14, 2025 23:02:15.227039099 CET	50340	445	192.168.2.7	182.19.215.54
Jan 14, 2025 23:02:15.227097988 CET	50340	445	192.168.2.7	182.19.215.54
Jan 14, 2025 23:02:15.227255106 CET	50341	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.232105970 CET	445	50341	182.19.215.1	192.168.2.7
Jan 14, 2025 23:02:15.232156992 CET	445	50340	182.19.215.54	192.168.2.7
Jan 14, 2025 23:02:15.232175112 CET	50341	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.232202053 CET	50341	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.232219934 CET	50340	445	192.168.2.7	182.19.215.54
Jan 14, 2025 23:02:15.232769012 CET	50342	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.238034964 CET	445	50341	182.19.215.1	192.168.2.7
Jan 14, 2025 23:02:15.238089085 CET	50341	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.238544941 CET	445	50342	182.19.215.1	192.168.2.7
Jan 14, 2025 23:02:15.238606930 CET	50342	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.238660097 CET	50342	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:15.243421078 CET	445	50342	182.19.215.1	192.168.2.7
Jan 14, 2025 23:02:15.514755964 CET	445	50198	102.242.240.1	192.168.2.7
Jan 14, 2025 23:02:15.514832973 CET	50198	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:15.514873981 CET	50198	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:15.514894009 CET	50198	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:15.519798040 CET	445	50198	102.242.240.1	192.168.2.7
Jan 14, 2025 23:02:15.519828081 CET	445	50198	102.242.240.1	192.168.2.7
Jan 14, 2025 23:02:15.637999058 CET	445	50201	99.232.202.1	192.168.2.7
Jan 14, 2025 23:02:15.638135910 CET	50201	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:02:15.638200045 CET	50201	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:02:15.638262033 CET	50201	445	192.168.2.7	99.232.202.1
Jan 14, 2025 23:02:15.643220901 CET	445	50201	99.232.202.1	192.168.2.7
Jan 14, 2025 23:02:15.643254042 CET	445	50201	99.232.202.1	192.168.2.7
Jan 14, 2025 23:02:15.689894915 CET	50343	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.695261955 CET	445	50343	99.232.202.2	192.168.2.7
Jan 14, 2025 23:02:15.695384026 CET	50343	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.695478916 CET	50343	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.695724010 CET	50344	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.700700998 CET	445	50344	99.232.202.2	192.168.2.7
Jan 14, 2025 23:02:15.700778961 CET	50344	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.700803995 CET	50344	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.700941086 CET	445	50343	99.232.202.2	192.168.2.7
Jan 14, 2025 23:02:15.701010942 CET	50343	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:15.705586910 CET	445	50344	99.232.202.2	192.168.2.7
Jan 14, 2025 23:02:16.114212036 CET	50345	445	192.168.2.7	59.243.164.63
Jan 14, 2025 23:02:16.119066000 CET	445	50345	59.243.164.63	192.168.2.7
Jan 14, 2025 23:02:16.119133949 CET	50345	445	192.168.2.7	59.243.164.63
Jan 14, 2025 23:02:16.119215965 CET	50345	445	192.168.2.7	59.243.164.63
Jan 14, 2025 23:02:16.119357109 CET	50346	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.124273062 CET	445	50346	59.243.164.1	192.168.2.7
Jan 14, 2025 23:02:16.124310970 CET	445	50345	59.243.164.63	192.168.2.7
Jan 14, 2025 23:02:16.124336004 CET	50346	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.124356985 CET	50345	445	192.168.2.7	59.243.164.63
Jan 14, 2025 23:02:16.124433994 CET	50346	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.124959946 CET	50347	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.129455090 CET	445	50346	59.243.164.1	192.168.2.7
Jan 14, 2025 23:02:16.129506111 CET	50346	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.129760027 CET	445	50347	59.243.164.1	192.168.2.7
Jan 14, 2025 23:02:16.129924059 CET	50347	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.138712883 CET	50347	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:16.143537045 CET	445	50347	59.243.164.1	192.168.2.7
Jan 14, 2025 23:02:16.545572996 CET	50348	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:16.550445080 CET	445	50348	221.226.81.1	192.168.2.7
Jan 14, 2025 23:02:16.550534964 CET	50348	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:16.550733089 CET	50348	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:16.555540085 CET	445	50348	221.226.81.1	192.168.2.7
Jan 14, 2025 23:02:16.939780951 CET	50349	445	192.168.2.7	167.178.222.57
Jan 14, 2025 23:02:16.944725037 CET	445	50349	167.178.222.57	192.168.2.7
Jan 14, 2025 23:02:16.944792986 CET	50349	445	192.168.2.7	167.178.222.57
Jan 14, 2025 23:02:16.944819927 CET	50349	445	192.168.2.7	167.178.222.57
Jan 14, 2025 23:02:16.944984913 CET	50350	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.949798107 CET	445	50349	167.178.222.57	192.168.2.7
Jan 14, 2025 23:02:16.949830055 CET	445	50350	167.178.222.1	192.168.2.7
Jan 14, 2025 23:02:16.949852943 CET	50349	445	192.168.2.7	167.178.222.57
Jan 14, 2025 23:02:16.949934959 CET	50350	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.949973106 CET	50350	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.950185061 CET	50351	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.954857111 CET	445	50350	167.178.222.1	192.168.2.7
Jan 14, 2025 23:02:16.955046892 CET	445	50351	167.178.222.1	192.168.2.7
Jan 14, 2025 23:02:16.955101967 CET	50351	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.955102921 CET	50350	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.955132008 CET	50351	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:16.960135937 CET	445	50351	167.178.222.1	192.168.2.7
Jan 14, 2025 23:02:17.544162989 CET	445	50216	148.67.37.1	192.168.2.7
Jan 14, 2025 23:02:17.546057940 CET	445	50217	79.169.8.1	192.168.2.7
Jan 14, 2025 23:02:17.546159983 CET	50216	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:17.546215057 CET	50217	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:02:17.546215057 CET	50217	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:02:17.546236038 CET	50216	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:17.546258926 CET	50217	445	192.168.2.7	79.169.8.1
Jan 14, 2025 23:02:17.546283007 CET	50216	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:17.551126003 CET	445	50216	148.67.37.1	192.168.2.7
Jan 14, 2025 23:02:17.551136971 CET	445	50217	79.169.8.1	192.168.2.7
Jan 14, 2025 23:02:17.551143885 CET	445	50217	79.169.8.1	192.168.2.7
Jan 14, 2025 23:02:17.551152945 CET	445	50216	148.67.37.1	192.168.2.7
Jan 14, 2025 23:02:17.611829996 CET	50352	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.616712093 CET	445	50352	79.169.8.2	192.168.2.7
Jan 14, 2025 23:02:17.618685007 CET	50352	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.618685007 CET	50352	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.619028091 CET	50353	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.623672009 CET	445	50352	79.169.8.2	192.168.2.7
Jan 14, 2025 23:02:17.623792887 CET	445	50353	79.169.8.2	192.168.2.7
Jan 14, 2025 23:02:17.623846054 CET	50352	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.623872042 CET	50353	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.623922110 CET	50353	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:17.628632069 CET	445	50353	79.169.8.2	192.168.2.7
Jan 14, 2025 23:02:17.705832005 CET	50354	445	192.168.2.7	54.79.81.130
Jan 14, 2025 23:02:17.710650921 CET	445	50354	54.79.81.130	192.168.2.7
Jan 14, 2025 23:02:17.710730076 CET	50354	445	192.168.2.7	54.79.81.130
Jan 14, 2025 23:02:17.710777044 CET	50354	445	192.168.2.7	54.79.81.130
Jan 14, 2025 23:02:17.710946083 CET	50355	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.715774059 CET	445	50355	54.79.81.1	192.168.2.7
Jan 14, 2025 23:02:17.715826988 CET	50355	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.715893984 CET	50355	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.715918064 CET	445	50354	54.79.81.130	192.168.2.7
Jan 14, 2025 23:02:17.715960979 CET	50354	445	192.168.2.7	54.79.81.130
Jan 14, 2025 23:02:17.716186047 CET	50356	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.720808983 CET	445	50355	54.79.81.1	192.168.2.7
Jan 14, 2025 23:02:17.720931053 CET	445	50356	54.79.81.1	192.168.2.7
Jan 14, 2025 23:02:17.720988035 CET	50355	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.721015930 CET	50356	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.721079111 CET	50356	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:17.725789070 CET	445	50356	54.79.81.1	192.168.2.7
Jan 14, 2025 23:02:18.517913103 CET	50358	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:18.522758961 CET	445	50358	102.242.240.1	192.168.2.7
Jan 14, 2025 23:02:18.522850037 CET	50358	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:18.522978067 CET	50358	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:18.527770042 CET	445	50358	102.242.240.1	192.168.2.7
Jan 14, 2025 23:02:19.341598988 CET	443	49912	104.98.116.138	192.168.2.7
Jan 14, 2025 23:02:19.341844082 CET	49912	443	192.168.2.7	104.98.116.138
Jan 14, 2025 23:02:19.529479980 CET	445	50232	53.1.126.1	192.168.2.7
Jan 14, 2025 23:02:19.529603004 CET	50232	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:19.529603958 CET	50232	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:19.529670954 CET	50232	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:19.534434080 CET	445	50232	53.1.126.1	192.168.2.7
Jan 14, 2025 23:02:19.534513950 CET	445	50232	53.1.126.1	192.168.2.7
Jan 14, 2025 23:02:19.998498917 CET	445	50236	207.147.9.1	192.168.2.7
Jan 14, 2025 23:02:19.998646975 CET	50236	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:02:19.998868942 CET	50236	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:02:19.999094963 CET	50236	445	192.168.2.7	207.147.9.1
Jan 14, 2025 23:02:20.003922939 CET	445	50236	207.147.9.1	192.168.2.7
Jan 14, 2025 23:02:20.003961086 CET	445	50236	207.147.9.1	192.168.2.7
Jan 14, 2025 23:02:20.064982891 CET	50362	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.070039988 CET	445	50362	207.147.9.2	192.168.2.7
Jan 14, 2025 23:02:20.070142984 CET	50362	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.070158958 CET	50362	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.070560932 CET	50363	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.075099945 CET	445	50362	207.147.9.2	192.168.2.7
Jan 14, 2025 23:02:20.075161934 CET	50362	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.075432062 CET	445	50363	207.147.9.2	192.168.2.7
Jan 14, 2025 23:02:20.075520992 CET	50363	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.075520992 CET	50363	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:20.080357075 CET	445	50363	207.147.9.2	192.168.2.7
Jan 14, 2025 23:02:20.549254894 CET	50366	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:20.554128885 CET	445	50366	148.67.37.1	192.168.2.7
Jan 14, 2025 23:02:20.554250956 CET	50366	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:20.554338932 CET	50366	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:20.559909105 CET	445	50366	148.67.37.1	192.168.2.7
Jan 14, 2025 23:02:21.550285101 CET	445	50249	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:21.550360918 CET	50249	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:21.550434113 CET	50249	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:21.550488949 CET	50249	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:21.555452108 CET	445	50249	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:21.555484056 CET	445	50249	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:21.779422045 CET	445	50250	39.80.197.1	192.168.2.7
Jan 14, 2025 23:02:21.779520988 CET	50250	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:02:21.779598951 CET	50250	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:02:21.779669046 CET	50250	445	192.168.2.7	39.80.197.1
Jan 14, 2025 23:02:21.784538984 CET	445	50250	39.80.197.1	192.168.2.7
Jan 14, 2025 23:02:21.784590960 CET	445	50250	39.80.197.1	192.168.2.7
Jan 14, 2025 23:02:21.846122980 CET	50374	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.851633072 CET	445	50374	39.80.197.2	192.168.2.7
Jan 14, 2025 23:02:21.851710081 CET	50374	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.851733923 CET	50374	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.852020025 CET	50376	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.856806040 CET	445	50374	39.80.197.2	192.168.2.7
Jan 14, 2025 23:02:21.856862068 CET	445	50376	39.80.197.2	192.168.2.7
Jan 14, 2025 23:02:21.856869936 CET	50374	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.856935024 CET	50376	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.856976032 CET	50376	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:21.861735106 CET	445	50376	39.80.197.2	192.168.2.7
Jan 14, 2025 23:02:22.533658028 CET	50382	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:22.566766977 CET	445	50382	53.1.126.1	192.168.2.7
Jan 14, 2025 23:02:22.566849947 CET	50382	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:22.566904068 CET	50382	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:22.571769953 CET	445	50382	53.1.126.1	192.168.2.7
Jan 14, 2025 23:02:23.483172894 CET	445	50265	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:23.483253956 CET	50265	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:23.483294964 CET	50265	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:23.483361006 CET	50265	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:23.488562107 CET	445	50265	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:23.488730907 CET	445	50265	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:23.897830963 CET	445	50269	140.192.249.1	192.168.2.7
Jan 14, 2025 23:02:23.897947073 CET	50269	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:02:23.898056030 CET	50269	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:02:23.898056030 CET	50269	445	192.168.2.7	140.192.249.1
Jan 14, 2025 23:02:23.902936935 CET	445	50269	140.192.249.1	192.168.2.7
Jan 14, 2025 23:02:23.903009892 CET	445	50269	140.192.249.1	192.168.2.7
Jan 14, 2025 23:02:23.955559015 CET	50397	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.960796118 CET	445	50397	140.192.249.2	192.168.2.7
Jan 14, 2025 23:02:23.960896969 CET	50397	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.960922003 CET	50397	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.961272001 CET	50398	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.966187000 CET	445	50398	140.192.249.2	192.168.2.7
Jan 14, 2025 23:02:23.966288090 CET	50398	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.966288090 CET	50398	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.966377020 CET	445	50397	140.192.249.2	192.168.2.7
Jan 14, 2025 23:02:23.966432095 CET	50397	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:23.971144915 CET	445	50398	140.192.249.2	192.168.2.7
Jan 14, 2025 23:02:24.564917088 CET	50407	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:24.570589066 CET	445	50407	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:24.570658922 CET	50407	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:24.570702076 CET	50407	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:24.575495005 CET	445	50407	130.143.132.1	192.168.2.7
Jan 14, 2025 23:02:25.175200939 CET	445	50277	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:25.175266981 CET	50277	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:25.175335884 CET	50277	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:25.175378084 CET	50277	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:25.180232048 CET	445	50277	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:25.180262089 CET	445	50277	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:25.841409922 CET	445	50283	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:25.841682911 CET	50283	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:25.841682911 CET	50283	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:25.841684103 CET	50283	445	192.168.2.7	71.53.117.1
Jan 14, 2025 23:02:25.847026110 CET	445	50283	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:25.847081900 CET	445	50283	71.53.117.1	192.168.2.7
Jan 14, 2025 23:02:25.893275976 CET	50432	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.898355961 CET	445	50432	71.53.117.2	192.168.2.7
Jan 14, 2025 23:02:25.898478985 CET	50432	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.898585081 CET	50432	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.904010057 CET	445	50432	71.53.117.2	192.168.2.7
Jan 14, 2025 23:02:25.904099941 CET	50432	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.912698030 CET	50433	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.917613029 CET	445	50433	71.53.117.2	192.168.2.7
Jan 14, 2025 23:02:25.917706013 CET	50433	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.917746067 CET	50433	445	192.168.2.7	71.53.117.2
Jan 14, 2025 23:02:25.922605038 CET	445	50433	71.53.117.2	192.168.2.7
Jan 14, 2025 23:02:26.486861944 CET	50448	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:26.491988897 CET	445	50448	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:26.492114067 CET	50448	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:26.492202044 CET	50448	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:26.497030973 CET	445	50448	70.226.142.1	192.168.2.7
Jan 14, 2025 23:02:26.845491886 CET	445	50291	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:26.845706940 CET	50291	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:26.845844030 CET	50291	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:26.845906973 CET	50291	445	192.168.2.7	63.48.67.1
Jan 14, 2025 23:02:26.850728989 CET	445	50291	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:26.850759983 CET	445	50291	63.48.67.1	192.168.2.7
Jan 14, 2025 23:02:27.890558004 CET	445	50298	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:27.890728951 CET	50298	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:27.890728951 CET	50298	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:27.890777111 CET	50298	445	192.168.2.7	59.130.120.1
Jan 14, 2025 23:02:27.895680904 CET	445	50298	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:27.895709038 CET	445	50298	59.130.120.1	192.168.2.7
Jan 14, 2025 23:02:27.956089020 CET	50493	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.961119890 CET	445	50493	59.130.120.2	192.168.2.7
Jan 14, 2025 23:02:27.961253881 CET	50493	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.961349964 CET	50493	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.961739063 CET	50494	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.966265917 CET	445	50493	59.130.120.2	192.168.2.7
Jan 14, 2025 23:02:27.966346979 CET	50493	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.966615915 CET	445	50494	59.130.120.2	192.168.2.7
Jan 14, 2025 23:02:27.966686010 CET	50494	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.966730118 CET	50494	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:27.971524000 CET	445	50494	59.130.120.2	192.168.2.7
Jan 14, 2025 23:02:28.190046072 CET	50506	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:28.195018053 CET	445	50506	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:28.195210934 CET	50506	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:28.195255995 CET	50506	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:28.200086117 CET	445	50506	149.20.247.1	192.168.2.7
Jan 14, 2025 23:02:28.345623970 CET	445	50304	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:28.345757008 CET	50304	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:28.345803022 CET	50304	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:28.345849037 CET	50304	445	192.168.2.7	126.112.145.1
Jan 14, 2025 23:02:28.350940943 CET	445	50304	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:28.350977898 CET	445	50304	126.112.145.1	192.168.2.7
Jan 14, 2025 23:02:29.800946951 CET	445	50315	59.193.85.1	192.168.2.7
Jan 14, 2025 23:02:29.801023006 CET	50315	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:29.827109098 CET	445	50316	152.147.57.1	192.168.2.7
Jan 14, 2025 23:02:29.827176094 CET	50316	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:30.547887087 CET	50325	445	192.168.2.7	141.193.184.2
Jan 14, 2025 23:02:30.547951937 CET	50407	445	192.168.2.7	130.143.132.1
Jan 14, 2025 23:02:30.547992945 CET	50398	445	192.168.2.7	140.192.249.2
Jan 14, 2025 23:02:30.548032999 CET	50353	445	192.168.2.7	79.169.8.2
Jan 14, 2025 23:02:30.548077106 CET	50334	445	192.168.2.7	198.110.238.2
Jan 14, 2025 23:02:30.548118114 CET	50363	445	192.168.2.7	207.147.9.2
Jan 14, 2025 23:02:30.548163891 CET	50344	445	192.168.2.7	99.232.202.2
Jan 14, 2025 23:02:30.548209906 CET	50315	445	192.168.2.7	59.193.85.1
Jan 14, 2025 23:02:30.548224926 CET	50316	445	192.168.2.7	152.147.57.1
Jan 14, 2025 23:02:30.548244953 CET	50319	445	192.168.2.7	130.184.107.1
Jan 14, 2025 23:02:30.548297882 CET	50320	445	192.168.2.7	58.100.254.1
Jan 14, 2025 23:02:30.548297882 CET	50323	445	192.168.2.7	206.169.28.1
Jan 14, 2025 23:02:30.548317909 CET	50328	445	192.168.2.7	132.251.70.1
Jan 14, 2025 23:02:30.548372984 CET	50332	445	192.168.2.7	109.143.164.1
Jan 14, 2025 23:02:30.548384905 CET	50329	445	192.168.2.7	102.252.16.1
Jan 14, 2025 23:02:30.548413038 CET	50338	445	192.168.2.7	67.118.253.1
Jan 14, 2025 23:02:30.548410892 CET	50337	445	192.168.2.7	219.56.238.1
Jan 14, 2025 23:02:30.548434973 CET	50342	445	192.168.2.7	182.19.215.1
Jan 14, 2025 23:02:30.548464060 CET	50347	445	192.168.2.7	59.243.164.1
Jan 14, 2025 23:02:30.548477888 CET	50348	445	192.168.2.7	221.226.81.1
Jan 14, 2025 23:02:30.548499107 CET	50351	445	192.168.2.7	167.178.222.1
Jan 14, 2025 23:02:30.548521042 CET	50356	445	192.168.2.7	54.79.81.1
Jan 14, 2025 23:02:30.548552990 CET	50366	445	192.168.2.7	148.67.37.1
Jan 14, 2025 23:02:30.548573017 CET	50358	445	192.168.2.7	102.242.240.1
Jan 14, 2025 23:02:30.548625946 CET	50382	445	192.168.2.7	53.1.126.1
Jan 14, 2025 23:02:30.548652887 CET	50376	445	192.168.2.7	39.80.197.2
Jan 14, 2025 23:02:30.548722029 CET	50448	445	192.168.2.7	70.226.142.1
Jan 14, 2025 23:02:30.548827887 CET	50494	445	192.168.2.7	59.130.120.2
Jan 14, 2025 23:02:30.548880100 CET	50506	445	192.168.2.7	149.20.247.1
Jan 14, 2025 23:02:30.549300909 CET	50433	445	192.168.2.7	71.53.117.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 23:01:20.733320951 CET	123	123	192.168.2.7	20.101.57.9
Jan 14, 2025 23:01:21.012875080 CET	123	123	20.101.57.9	192.168.2.7
Jan 14, 2025 23:01:21.914964914 CET	55123	53	192.168.2.7	1.1.1.1
Jan 14, 2025 23:01:22.068334103 CET	53	55123	1.1.1.1	192.168.2.7
Jan 14, 2025 23:01:22.687971115 CET	61092	53	192.168.2.7	1.1.1.1
Jan 14, 2025 23:01:23.015113115 CET	53	61092	1.1.1.1	192.168.2.7
Jan 14, 2025 23:02:14.998446941 CET	138	138	192.168.2.7	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 23:01:21.914964914 CET	192.168.2.7	1.1.1.1	0xb9ab	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:01:22.687971115 CET	192.168.2.7	1.1.1.1	0x9d26	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 23:01:22.068334103 CET	1.1.1.1	192.168.2.7	0xb9ab	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 23:01:23.015113115 CET	1.1.1.1	192.168.2.7	0x9d26	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 23:01:23.015113115 CET	1.1.1.1	192.168.2.7	0x9d26	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	103.224.212.215	80	7532	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:22.080096006 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:01:22.671039104 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:22 GMT server: Apache set-cookie: __tad=1736892082.2055222; expires=Fri, 12-Jan-2035 22:01:22 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c202 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	199.59.243.228	80	7532	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:23.022124052 CET	169	OUT	GET /?subid1=20250115-0901-22d6-8491-861bb1f7c202 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:01:23.475541115 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:22 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: da1960cc-605f-446a-be7b-4e08db166a04 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aYH5ztsFtJ4E1XHCMtw41BD0jm0wmAfXpK5TjcZtQOkQvwVCtpqstxFrGPVxpFOBStbcC2TBH1qzNyYiTacI+w== set-cookie: parking_session=da1960cc-605f-446a-be7b-4e08db166a04; expires=Tue, 14 Jan 2025 22:16:23 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 59 48 35 7a 74 73 46 74 4a 34 45 31 58 48 43 4d 74 77 34 31 42 44 30 6a 6d 30 77 6d 41 66 58 70 4b 35 54 6a 63 5a 74 51 4f 6b 51 76 77 56 43 74 70 71 73 74 78 46 72 47 50 56 78 70 46 4f 42 53 74 62 63 43 32 54 42 48 31 71 7a 4e 79 59 69 54 61 63 49 2b 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aYH5ztsFtJ4E1XHCMtw41BD0jm0wmAfXpK5TjcZtQOkQvwVCtpqstxFrGPVxpFOBStbcC2TBH1qzNyYiTacI+w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:01:23.475580931 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGExOTYwY2MtNjA1Zi00NDZhLWJlN2ItNGUwOGRiMTY2YTA0IiwicGFnZV90aW1lIjoxNzM2ODkyMDgzLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49713	103.224.212.215	80	7648	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:24.591661930 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 23:01:25.242415905 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:25 GMT server: Apache set-cookie: __tad=1736892085.2689601; expires=Fri, 12-Jan-2035 22:01:25 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f19b content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49714	103.224.212.215	80	7732	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:24.711371899 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736892082.2055222
Jan 14, 2025 23:01:25.350713968 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 22:01:25 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b467 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49715	199.59.243.228	80	7648	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:25.251307011 CET	169	OUT	GET /?subid1=20250115-0901-2581-9013-e164d1a0f19b HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 23:01:25.716434956 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:25 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 10e28ea9-42b9-40b7-91af-7d05cb6e341d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ms8sstjClFy6j8mo7Dm5+05morFtSdSklhex6YIfvHmESbIdleLVsHcxOBhA5TJyBcambhOQ0CLZP/Njf7UH2g== set-cookie: parking_session=10e28ea9-42b9-40b7-91af-7d05cb6e341d; expires=Tue, 14 Jan 2025 22:16:25 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 73 38 73 73 74 6a 43 6c 46 79 36 6a 38 6d 6f 37 44 6d 35 2b 30 35 6d 6f 72 46 74 53 64 53 6b 6c 68 65 78 36 59 49 66 76 48 6d 45 53 62 49 64 6c 65 4c 56 73 48 63 78 4f 42 68 41 35 54 4a 79 42 63 61 6d 62 68 4f 51 30 43 4c 5a 50 2f 4e 6a 66 37 55 48 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ms8sstjClFy6j8mo7Dm5+05morFtSdSklhex6YIfvHmESbIdleLVsHcxOBhA5TJyBcambhOQ0CLZP/Njf7UH2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 23:01:25.716480970 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTBlMjhlYTktNDJiOS00MGI3LTkxYWYtN2QwNWNiNmUzNDFkIiwicGFnZV90aW1lIjoxNzM2ODkyMDg1LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49716	199.59.243.228	80	7732	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 23:01:25.363534927 CET	231	OUT	GET /?subid1=20250115-0901-251a-92a0-3fc33577b467 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=da1960cc-605f-446a-be7b-4e08db166a04
Jan 14, 2025 23:01:25.824352026 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 22:01:25 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: cec769e2-5bc0-46aa-81e8-04e566204af1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GjIux4AEXJ9ZPWhL2ql2nqALh34CHZSvwO9yYTXRzeB1e2Y+ryWwtEfOGOo7Bzj+lBTgn0naaezNY0363JabGQ== set-cookie: parking_session=da1960cc-605f-446a-be7b-4e08db166a04; expires=Tue, 14 Jan 2025 22:16:25 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 47 6a 49 75 78 34 41 45 58 4a 39 5a 50 57 68 4c 32 71 6c 32 6e 71 41 4c 68 33 34 43 48 5a 53 76 77 4f 39 79 59 54 58 52 7a 65 42 31 65 32 59 2b 72 79 57 77 74 45 66 4f 47 4f 6f 37 42 7a 6a 2b 6c 42 54 67 6e 30 6e 61 61 65 7a 4e 59 30 33 36 33 4a 61 62 47 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GjIux4AEXJ9ZPWhL2ql2nqALh34CHZSvwO9yYTXRzeB1e2Y+ryWwtEfOGOo7Bzj+lBTgn0naaezNY0363JabGQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 23:01:25.824409008 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGExOTYwY2MtNjA1Zi00NDZhLWJlN2ItNGUwOGRiMTY2YTA0IiwicGFnZV90aW1lIjoxNzM2ODkyMDg1LCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	17:01:20
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll"
Imagebase:	0x8f0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:01:20
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:01:20
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:01:20
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\sLlAsC4I5r.dll,PlayGame
Imagebase:	0x5c0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:01:20
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",#1
Imagebase:	0x5c0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:01:20
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	7FB008D5D5B7287BE887984844A4AC41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1336491510.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:01:22
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	7FB008D5D5B7287BE887984844A4AC41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.1357140442.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2015410106.000000000227D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2015123751.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:01:23
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\sLlAsC4I5r.dll",PlayGame
Imagebase:	0x5c0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:01:23
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	7FB008D5D5B7287BE887984844A4AC41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1378591463.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.1365489627.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FBD0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CloseHandle, xrefs: 00407D29
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
CreateFileA, xrefs: 00407D0F
D, xrefs: 00407ED3
tasksche.exe, xrefs: 00407DEA

Memory Dump Source

Source File: 00000006.00000002.1377189927.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1377173915.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377210942.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377280026.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377366936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1377189927.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1377173915.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377210942.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377280026.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377366936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1377189927.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1377173915.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377210942.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377280026.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377366936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FBD0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.1377189927.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1377173915.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377210942.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377280026.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377366936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6FBD0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1377189927.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1377173915.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377210942.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377280026.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1377366936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7648, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6FBD0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2014128224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2014109618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014147791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014227844.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014245603.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014362748.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2014128224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2014109618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014147791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014227844.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014245603.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014362748.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FBD0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000007.00000002.2014128224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2014109618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014147791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014227844.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014245603.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014362748.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FBD0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

tasksche.exe, xrefs: 00407DEA
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000007.00000002.2014128224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2014109618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014147791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014227844.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014245603.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014362748.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2014128224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2014109618.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014147791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014164274.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014227844.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014245603.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2014362748.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c2	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f19b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f1	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/S	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b4	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b467	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c202	Avira URL Cloud: Label: malware

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 79%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 79%

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-22d6-8491-861bb1f7c202 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736892082.2055222
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-2581-9013-e164d1a0f19b HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0901-251a-92a0-3fc33577b467 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=da1960cc-605f-446a-be7b-4e08db166a04

Source: sLlAsC4I5r.dll	Virustotal: Detection: 94%			Perma Link
Source: sLlAsC4I5r.dll	ReversingLabs: Detection: 90%

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49705 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49713 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.54
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.54
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.54
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.54
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 141.193.184.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.235
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.235
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.235
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.235
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.232.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.81
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.81
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.81
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.81
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 79.169.8.1
Source: unknown	TCP traffic detected without corresponding DNS query: 207.147.9.74
Source: unknown	TCP traffic detected without corresponding DNS query: 207.147.9.74
Source: unknown	TCP traffic detected without corresponding DNS query: 207.147.9.74

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.1377577741.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2
Source: mssecsvr.exe, 00000006.00000002.1377577741.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1377577741.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1377577741.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-22d6-8491-861bb1f7c2
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000003.1377483851.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-251a-92a0-3fc33577b4
Source: mssecsvr.exe, 00000007.00000002.2014635150.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0901-2581-9013-e164d1a0f1
Source: mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/S
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/r
Source: sLlAsC4I5r.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com#
Source: mssecsvr.exe, 00000006.00000002.1377577741.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1377577741.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.1379157550.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000007.00000002.2014635150.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22
Source: mssecsvr.exe, 00000009.00000002.1379157550.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/6L
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/B
Source: mssecsvr.exe, 00000006.00000002.1377577741.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/L
Source: mssecsvr.exe, 00000007.00000002.2014062047.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000009.00000002.1379157550.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comr

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912

Source: Yara match	File source: sLlAsC4I5r.dll, type: SAMPLE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227d948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.226e8c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227d948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d550a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.22798e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1377230250.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2014209867.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1378591463.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1336491510.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1365489627.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1357140442.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2015410106.000000000227D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2015123751.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7732, type: MEMORYSTR

Source: sLlAsC4I5r.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.226e8c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d4a084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.227d948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227d948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.226e8c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.226e8c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.227d948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d550a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22798e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: sLlAsC4I5r.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.226e8c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d4a084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.227d948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227d948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.226e8c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.226e8c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.227d948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d550a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22798e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		7_2_00407C40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sLlAsC4I5r.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
sLlAsC4I5r.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre